Cryptographic system, re-encryption key generation device, re-encryption device, cryptographic method, and cryptographic program

ABSTRACT

It is an object to implement a functional proxy re-encryption scheme. A decryption device  300  transmits to a re-encryption device  400  a decryption key k* rk  which is generated by converting, using conversion information W 1 , a decryption key k* in which is set one of attribute information x and attribute information v corresponding to each other, and encrypted conversion information ψ rk  which is generated by encrypting the conversion information W 1  with one of attribute information x′ and attribute information v′ corresponding to each other being set. The re-encryption device  400  generates a re-encrypted ciphertext CT, constituted by a ciphertext c renc  which is generated by setting at least one of additional information H and additional information Θ corresponding to each other in a ciphertext c enc  in which is set the other one of the attribute information x and the attribute information v, and a decryption key k* renc  which is generated by setting at least the other one of the additional information H and the additional information Θ in the decryption key k* rk .

TECHNICAL FIELD

The present invention relates to functional proxy re-encryption (FPRE).

BACKGROUND ART

Proxy re-encryption (PRE) is a system which allows decryption rights forciphertexts to be delegated to third parties without decrypting theciphertexts. Non-Patent Literature 1 discusses an identity-based PRE(IBPRE) scheme. Non-Patent Literature 2 discusses an attribute-based PRE(ABPRE) scheme. According to the PRE scheme discussed in Non-PatentLiterature 2, only attributes consisting of AND and negative elementscan be specified for ciphertexts.

Patent Literature 1 discusses functional encryption (FE).

CITATION LIST Patent Literature

-   Patent Literature 1: JP 2012-133214 A

Non-Patent Literature

-   Non-Patent Literature 1: M. Green, and G. Ateniese, Identity-Based    Proxy Re-encryption. In Applied Cryptography and Network Security.    volume 4521 of LNCS, pp 288-306, 2007.-   Non-Patent Literature 2: Xiaohui Liang, Zhenfu Cao, Huang Lin, Jun    Shao. Attribute based proxy re-encryption with delegating    capabilities. ASIA CCS 2009 pp. 276-286.-   Non-Patent Literature 3: Okamoto, T Takashima, K.: Decentralized    Attribute-Based Signatures. ePrint http://eprint.iacr.org/2011/701-   Non-Patent Literature 4: Okamoto, T Takashima, K.: Fully Secure    Unbounded Inner-Product and Attribute-Based Encryption. ePrint    http://eprint.iacr.org/2012/671-   Non-Patent Literature 5: Okamoto, T., Takashima, K.: Achieving Short    Ciphertexts or Short Secret-Keys for Adaptively Secure General    Inner-Product Encryption. CANS 2011, LNCS, vol. 7092, pp. 138-159    Springer Heidelberg (2011)

SUMMARY OF INVENTION Technical Problem

There has been no implementation of an FPRE scheme.

For PRE schemes that have been implemented, there has been a problem,which is that third parties to whom delegation is possible with a singlere-encryption key are limited to only a single user or users having veryrestricted attributes.

It is an object of the present invention to provide a PRE scheme whichallows flexible selection of third parties to whom delegation ispossible with a single re-encryption key.

Solution to Problem

A cryptographic system according to the present invention implements aproxy re-encryption function in a cryptographic scheme according towhich when two pieces of information correspond to each other, aciphertext in which is set one of the two pieces of information can bedecrypted with a decryption key in which is set the other one of the twopieces of information, and includes a re-encryption key generationdevice and a re-encryption device,

wherein the re-encryption key generation device includes

a decryption key k*^(rk) generation part that generates a decryption keyk*^(rk) by converting, using conversion information W₁, a decryption keyk* in which is set one of attribute information x and attributeinformation v corresponding to each other;

a conversion information W₁ encryption part that generates encryptedconversion information ψ^(rk) by encrypting the conversion informationW₁ with one of attribute information x′ and attribute information v′corresponding to each other being set; and

a re-encryption key transmission part that transmits to there-encryption device the decryption key k*^(rk) and the encryptedconversion information ψ^(rk), as a re-encryption key rk; and

wherein the re-encryption device includes

a ciphertext receiving part that receives a ciphertext c^(enc) in whichis set the other one of the attribute information x and the attributeinformation v;

a ciphertext c^(renc) generation part that generates a ciphertextc^(renc) by setting at least one of additional information H andadditional information Θ corresponding to each other in the ciphertextc^(enc) received by the ciphertext receiving part;

a decryption key k*^(renc) generation part that generates a decryptionkey k*^(renc) by setting at least the other one of the additionalinformation H and the additional information Θ in the decryption keyk*^(rk) included in the re-encryption key rk; and

a re-encrypted ciphertext transmission part that transmits theciphertext c^(renc), the decryption key k*^(renc), and the encryptedconversion information ψ^(rk), as a re-encrypted ciphertext CT.

Advantageous Effects of Invention

A cryptographic system according to the present invention can implementan FPRE scheme. Thus, a single re-encryption key can be used to forwarda ciphertext to a set of various types of users. Specifically, a generalnon-monotonic access structure can be embedded in a re-encryption key,allowing flexible forwarding settings without restrictions on forwardingdestination users.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is an explanatory drawing of a matrix M^;

FIG. 2 is an explanatory drawing of a matrix M_(δ);

FIG. 3 is an explanatory drawing of s₀;

FIG. 4 is an explanatory drawing of s^(→T);

FIG. 5 is a configuration diagram of a cryptographic processing system10 that implements a CP-FPRE scheme;

FIG. 6 is a functional block diagram illustrating the function of a keygeneration device 100;

FIG. 7 is a functional block diagram illustrating the function of anencryption device 200;

FIG. 8 is a functional block diagram illustrating the function of adecryption device 300;

FIG. 9 is a functional block diagram illustrating the function of are-encryption device 400;

FIG. 10 is a functional block diagram illustrating the function of are-encrypted ciphertext decryption device 500;

FIG. 11 is a flowchart illustrating the process of a Setup algorithm;

FIG. 12 is a flowchart illustrating the process of a KG algorithm;

FIG. 13 is a flowchart illustrating the process of an Enc algorithm;

FIG. 14 is a flowchart illustrating the process of an RKG algorithm;

FIG. 15 is a flowchart illustrating the process of an REnc algorithm;

FIG. 16 is a flowchart illustrating the process of a Dec1 algorithm;

FIG. 17 is a flowchart illustrating the process of a Dec2 algorithm;

FIG. 18 is a configuration diagram of a cryptographic processing system10 that implements a KP-FPRE scheme;

FIG. 19 is a functional block diagram illustrating the function of a keygeneration device 100;

FIG. 20 is a functional block diagram illustrating the function of anencryption device 200;

FIG. 21 is a functional block diagram illustrating the function of adecryption device 300;

FIG. 22 is a functional block diagram illustrating the function of are-encryption device 400;

FIG. 23 is a functional block diagram illustrating the function of are-encrypted ciphertext decryption device 500;

FIG. 24 is a flowchart illustrating the process of a KG algorithm;

FIG. 25 is a flowchart illustrating the process of an Enc algorithm;

FIG. 26 is a flowchart illustrating the process of an RKG algorithm;

FIG. 27 is a flowchart illustrating the process of an REnc algorithm;

FIG. 28 is a flowchart illustrating the process of a Dec1 algorithm;

FIG. 29 is a flowchart illustrating the process of a Dec2 algorithm; and

FIG. 30 is a diagram illustrating an example of a hardware configurationof the key generation device 100, the encryption device 200, thedecryption device 300, the re-encryption device 400, and there-encrypted ciphertext decryption device 500.

DESCRIPTION OF EMBODIMENTS

Embodiments of the present invention will be described hereinafter withreference to the accompanying drawings.

In the following description, a processing device is a CPU 911 or thelike to be described later. A storage device is a ROM 913, a RAM 914, amagnetic disk 920 or the like to be described later. A communicationdevice is a communication board 915 or the like to be described later.An input device is a keyboard 902, the communication board 915 or thelike to be described later. That is, the processing device, the storagedevice, the communication device, and the input device are hardware.

Notations to be used in the following description will be described.

When A is a random variable or distribution, Formula 101 denotes that yis randomly selected from A according to the distribution of A. That is,y is a random number in Formula 101.

$\begin{matrix}{y\overset{R}{\longleftarrow}A} & \left\lbrack {{Formula}\mspace{14mu} 101} \right\rbrack\end{matrix}$

When A is a set, Formula 102 denotes that y is uniformly selected fromA. That is, y is a uniform random number in Formula 102.

$\begin{matrix}{y\overset{U}{\longleftarrow}A} & \left\lbrack {{Formula}\mspace{14mu} 102} \right\rbrack\end{matrix}$

Formula 103 denotes that y is a set defined or substituted by z.y:=z  [Formula 103]When a is a fixed value, Formula 104 denotes that a machine (algorithm)A outputs a on input x.A(x)→a  [Formula 104]For example,A(x)→1

Formula 105, namely F_(q), denotes a finite field of order q.

_(q)  [Formula 105]

A vector symbol denotes a vector representation over the finite fieldF_(q), as indicated in Formula 106.[Formula 106]{right arrow over (x)} denotes(x ₁ , . . . ,x _(n))ε

_(q) ^(n).

Formula 107 denotes that the inner-product, indicated in Formula 109, oftwo vectors x^(→) and v^(→) indicated in Formula 108.{right arrow over (x)}·{right arrow over (v)}  [Formula 107]{right arrow over (x)}=(x ₁ , . . . ,x _(n)),{right arrow over (v)}=(v ₁ , . . . ,v _(n))  [Formula 108]Σ_(i=1) ^(n) x _(i) v _(i)  [Formula 109]

Note that X^(T) denotes the transpose of a matrix X.

For a basis B and a basis B* indicated in Formula 110, Formula 111 isestablished.

:=(b ₁ , . . . ,b _(N)),

:=(b* ₁ , . . . ,b* _(N))  [Formula 110](x ₁ , . . . ,x _(N)

:=Σ_(i=1) ^(N) x _(i) b _(i),(y ₁ , . . . ,y _(N)

*:=Σ_(i=1) ^(N) y _(i) b* _(i)[Formula 111]

Note that e^(→) _(j) denotes an orthonormal basis vector indicated inFormula 112.

$\begin{matrix}{{{{{\overset{\rightarrow}{e}}_{j}\text{:}\mspace{11mu}\left( {{\overset{\overset{j - 1}{︷}}{{0\mspace{11mu}\ldots\mspace{11mu} 0},}\mspace{11mu} 1},\overset{\overset{n - j}{︷}}{0\mspace{11mu}\ldots\mspace{11mu} 0}} \right)} \in {{??}_{q}^{n}\mspace{14mu}{for}\mspace{14mu} j}} = 1},\ldots\mspace{14mu},n,} & \left\lbrack {{Formula}\mspace{14mu} 112} \right\rbrack\end{matrix}$

In the following description, when “Vt”, “nt”, “ut”, and “zt” are eachrepresented as a subscript or superscript, these Vt, nt, ut and, ztrespectively denote V_(t), n_(t), u_(t), and z_(t). Likewise, when“δi,j” is represented as a superscript, this δi,j denotes δ_(i,j).

When “→” denoting a vector is attached to a subscript or superscript, itis meant that this “→” is attached as a superscript to the subscript orsuperscript.

In the following description, cryptographic processes include a keygeneration process, an encryption process, a re-encryption keygeneration process, a re-encryption process, a decryption process, and are-encrypted ciphertext decryption process.

Embodiment 1

This embodiment describes a basic concept for implementing an FPREscheme, and then describes a structure of the FPRE scheme according tothis embodiment.

First, FPRE will be briefly described.

Second, a space having a rich mathematical structure called “dualpairing vector spaces (DPVS)” which is a space for implementing the FPREscheme will be described.

Third, a concept for implementing the FPRE scheme will be described.Here, a span program, an inner-product of attribute vectors and anaccess structure, and a secret distribution scheme (secret sharingscheme) will be described.

Fourth, the FPRE scheme according to this embodiment will be described.In this embodiment, a ciphertext-policy FPRE scheme (CP-FPRE) schemewill be described. First, a basic structure of the CP-FPRE scheme willbe described. Then, a basic configuration of a cryptographic processingsystem 10 that implements the CP-FPRE scheme will be described. Then,items used for implementing the CP-FPRE scheme will be described. Then,the CP-FPRE scheme and the cryptographic processing system 10 accordingto this embodiment will be described in detail.

<1. FPRE>

FPRE is a proxy re-encryption scheme which provides more sophisticatedand flexible relations among an encryption key (ek), a decryption key(dk), and a re-encryption key (rk).

FPRE has the following two properties. First, attribute information xand attribute information v are respectively set in an encryption keyand a decryption key. If and only if a relation R(x, v) holds, adecryption key dk_(v) can decrypt a ciphertext encrypted with anencryption key ek_(x). Second, in addition to the attribute informationx and the attribute information v being respectively set in theencryption key and the decryption key, two pieces of attributeinformation (x′, v) are set in a re-encryption key. If and only if R(x,v) holds, a re-encryption key rk_((x′,v)) can transform a ciphertextencrypted with the encryption key ek_(x) to a ciphertext which can bedecrypted with a decryption key dk_(v′) with which R(x′, v′) holds, thatis, to a ciphertext encrypted with an encryption key ek_(x′).

In a case where R(x, v) holds if and only if a relation R is an equalityrelation, i.e., x=v, this PRE scheme is IDPRE.

ABPRE is available as more generalized PRE than IDPRE. In ABPRE,attribute information which is set in an encryption key and attributeinformation which is set in a decryption key are each a set of attributeinformation. For example, the attribute information which is set in theencryption key is X:=(x₁, . . . , x_(d)), and the attribute informationwhich is set in the decryption key is V:=(v₁, . . . , v_(d)).

An equality relation for each pair of components of the attributeinformation (for example, {x_(t)=v_(t)}tε{1, . . . , d}) is inputted toan access structure S, and R(X, V) holds if and only if the accessstructure accepts this input. That is, a ciphertext encrypted with theencryption key can be decrypted with the decryption key. Non-PatentLiterature 2 proposes a ciphertext-policy PRE scheme according to whichan access structure S is embedded in a ciphertext. The access structurein this case consists of only AND and negative elements.

There is ordinary FE in which a ciphertext forwarding function does notexist, that is, a re-encryption key does not exist. In FE, are-encryption key and a re-encryption process do not exist, andattribute information x and attribute information v are respectively setin an encryption key and a decryption key. If and only if a relationR(x, v) holds, a decryption key dk_(v):=(dk, v) can decrypt a ciphertextencrypted with an encryption key ek_(x):=(ek, x).

<2. Dual Pairing Vector Spaces>

First, symmetric bilinear pairing groups will be described.

Symmetric bilinear pairing groups (q, G, G^(T), g, e) are a tuple of aprime q, a cyclic additive group G of order q, a cyclic multiplicativegroup G^(T) of order q, g≠0εG, and a polynomial-time computablenondegenerate bilinear pairing e:G×G→G_(T). The nondegenerate bilinearpairing signifies e(sg, tg)=e(g, g)^(st), and e(g, g)≠1.

In the following description, let G_(bpg) be an algorithm that takes asinput 1^(λ) and outputs values of a parameter param_(G):=(q, G, G_(T),g, e) of bilinear pairing groups with a security parameter λ.

Dual pairing vector spaces will now be described.

Dual pairing vector spaces (q, V, G_(T), A, e) can be constructed by adirect product of the symmetric bilinear pairing groups (param_(G):=(q,G, G_(T), g, e)). The dual pairing vector spaces (q, V, G_(T), A, e) area tuple of a prime q, an N-dimensional vector space V over F_(q)indicated in Formula 113, a cyclic group G_(T) of order q, and acanonical basis A:=(a₁, . . . , a_(N)) of the space V, and have thefollowing operations (1) and (2), where a_(i) is as indicated in Formula114.

$\begin{matrix}{{??}\text{:=}\mspace{14mu}\overset{\overset{N}{︷}}{{??} \times \ldots \times {??}}} & \left\lbrack {{Formula}\mspace{14mu} 113} \right\rbrack \\{a_{i}\text{:=}\mspace{14mu}\left( {\overset{\overset{i - 1}{︷}}{0,\ldots,\mspace{14mu} 0},g,\overset{\overset{N - i}{︷}}{0,\ldots,\mspace{14mu} 0}} \right)} & \left\lbrack {{Formula}\mspace{14mu} 114} \right\rbrack\end{matrix}$

Operation (1): Nondegenerate Bilinear Pairing

A pairing in the space V is defined by Formula 115.e(x,y):=Π_(i=1) ^(N) e(G _(i) ,H _(i))ε

_(T)  [Formula 115]where(G ₁ , . . . ,G _(N)):=xε

,(H ₁ , . . . ,H _(N)):=yε

.

This is nondegenerate bilinear, that is, e(sx, ty)=e(x, y)^(st) and ife(x, y)=1 for all yεV, then x=0. For all i and j, e(a_(i), a_(j))=e(g,g)^(δi,j), where δ_(i,j)=1 if i=j, and δ_(i,j)=0 if i≠j, and e(g,g)≠1εG_(T).

Operation (2): Distortion Maps

Linear transformations φ_(i,j) on the space V indicated in Formula 116can achieve Formula 117.

$\begin{matrix}{{{{if}\mspace{14mu}{\phi_{i,j}\left( a_{j} \right)}} = {{a_{i}\mspace{14mu}{and}\mspace{14mu} k} \neq j}},{{{then}\mspace{14mu}{\phi_{i,j}\left( a_{k} \right)}} = 0.}} & \left\lbrack {{Formula}\mspace{14mu} 116} \right\rbrack \\{{{\phi_{i,j}(x)}\text{:=}\mspace{20mu}\left( {\overset{\overset{i - 1}{︷}}{0,\ldots,\mspace{14mu} 0},g_{j},\overset{\overset{N - i}{︷}}{0,\ldots,\mspace{14mu} 0}} \right)}\text{}{{{where}\left( {g_{1},{\ldots\mspace{11mu} g_{N}}} \right)}\text{:=}\mspace{14mu}{x.}}} & \left\lbrack {{Formula}\mspace{14mu} 117} \right\rbrack\end{matrix}$

The linear transformations φ_(i,j) will be called distortion maps.

In the following description, let G_(dpvs) be an algorithm that takes asinput 1^(λ) (λ ε natural number), Nε natural number, and values of aparameter param_(G):=(q, G, G_(T), g, e) of bilinear pairing groups, andoutputs values of a parameter param_(V):=(q, V, G_(T), A, e) of dualpairing vector spaces with a security parameter λ and an N-dimensionalspace V.

Description will be directed herein to a case where the dual pairingvector spaces are constructed using the above-described symmetricbilinear pairing groups. The dual pairing vector spaces can also beconstructed using asymmetric bilinear pairing groups. The followingdescription can easily be adapted to a case where the dual pairingvector spaces are constructed using asymmetric bilinear pairing groups.

<3. Concept for Implementing FPRE Scheme>

<3-1. Span Program>

FIG. 1 is an explanatory drawing of a matrix M^.

Let {p₁, . . . , p_(n)} be a set of variables. M^:=(M, ρ) is a labeledmatrix. The matrix M is an (L rows×r columns) matrix over F_(q), and ρis a label of columns of the matrix M and is related to one of literals{p₁, . . . p_(n),

p₁, . . . .

p_(n)}. A label ρ_(i) (i=1, . . . , L) of each row of M is related toone of the literals. That is, ρ{1, . . . , L}→{p₁, . . . , p_(n),

p₁, . . . ,

p_(n)}.

For every input sequence δε{0, 1}^(n), a submatrix M_(δ) of the matrix Mis defined. The matrix M_(ε) is a submatrix consisting of those rows ofthe matrix M the labels ρ of which are related to a value “1” by theinput sequence δ. That is, the matrix M_(δ) is a submatrix consisting ofthe rows of the matrix M which are related to p_(i) such that δ_(i)=1and the rows of the matrix M which are related to

p_(i) such that δ_(i)=0.

FIG. 2 is an explanatory drawing of the matrix M_(δ). In FIG. 2, notethat n=7, L=6, and r=5. That is, the set of variables is {p₁, . . . ,p₇}, and the matrix M is a (6 rows×5 columns) matrix. In FIG. 2, assumethat the labels p are related such that ρ₁ is related to

p₂, ρ₂ to p₁, ρ₃ to p₄, ρ₄ to

p₅, ρ₅ to

p₃, and ρ₆ to p₅.

Assume that in an input sequence δε{0, 1}⁷, δ₁=1, δ₂=0, δ₃=1, δ₄=0,δ₅=0, δ₆=1, and δ₇=1. In this case, a submatrix consisting of the rowsof the matrix M which are related to literals (p₁, p₃, p₆, p₇,

p₂,

p₄,

p₅) surrounded by broken lines is the matrix M_(δ). That is, thesubmatrix consisting of the first row (M₁), second row (M₂), and fourthrow (M₄) of the matrix M is the matrix M_(δ).

-   -   In other words, when map γ: {1, . . . , L}→{0, 1} is        [ρ(j)=p_(i)]^[δ_(i)=1] or [ρ(j)=        p_(i)]^[δ_(i)=0], then γ(j)=1; otherwise γ(j)=0. In this case,        M_(δ):=(M_(j))_(γ(j)=1). Note that M_(j) is the j-th row of the        matrix M.

That is, in FIG. 2, map γ(j)=1(j=1, 2, 4), and map γ(j)=0 (j=3, 5, 6).Hence, (M_(j))_(γ(j)−1) is M₁, M₂, and M₄, and is the matrix M_(δ).

More specifically, whether or not the j-th row of the matrix M isincluded in the matrix M_(δ) is determined by whether the value of themap γ(j) is “0” or “1”.

The span program M^accepts an input sequence δ if and only if 1^(→)εspan<M_(δ)>, and rejects the input sequence δ otherwise. That is, thespan program M^ accepts the input sequence δ if and only if linearcombination of the rows of the matrix M_(δ) which are obtained from thematrix M^ by the input sequence δ gives 1^(→). 1^(→) is a row vectorwhich has a value “1” in each element.

For example, in FIG. 2, the span program M^ accepts the input sequence δif and only if linear combination of the respective rows of the matrixM_(δ) consisting of the first, second, and fourth rows of the matrix Mgives 1^(→). That is, if there exist α₁, α₂, and α₄ with whichα₁(M₁)+α₂(M₂)+α₄(M₄)=1^(→), the span program M^ accepts the inputsequence δ.

The span program is called monotone if its labels ρ are related to onlypositive literals {p₁, . . . , p_(n)}. The span program is callednon-monotone if its labels ρ are

related to the literals {p₁, . . . , p_(n),

p₁, . . . ,

p_(n)}. It is assumed herein that the span program is non-monotone. Anaccess structure (non-monotone access structure) is constructed usingthe non-monotone span program. Briefly, an access structure controlsaccess to encryption, that is, it controls whether a ciphertext is to bedecrypted or not.

As will be described in detail later, the span program beingnon-monotone, instead of being monotone, allows for a wider range ofapplications of the FPRE scheme constructed using the span program.

<3-2. Inner-Product of Attribute Information and Access Structure>

The above-described map γ(j) is computed using the inner-product ofattribute information. That is, the inner-product of attributeinformation is used to determine which row of the matrix M is to beincluded in the matrix M_(δ).

U_(t) (t=1, . . . , d and U_(t) ⊂{0, 1}*) is a sub-universe and a set ofattributes. Each U_(t) includes identification information (t) of thesub-universe and an n-dimensional vector (v^(→)). That is, U_(t) is (t,v^(→)), where tε{1, . . . , d} and v^(→)εF_(q) ^(n).

Let U_(t):=(t, v^(→)) be a variable p of the span program M^:=(M, ρ).That is, p:=(t, v^(→)). Let the span program M^:=(M, ρ) having thevariable (p:=(t, v^(→)), (t, v′^(→)), . . . ) be an access structure S.

That is, the access structure S:=(M, ρ) and ρ:{1, . . . , L}→{(t,v^(→)), (t, v′^(→)), . . . ,

(t, v^(→)),

(t, v′^(→)), . . . }.

Let Γ be a set of attributes. That is, Γ:={(t, x^(→) _(t))|x^(→) _(t)εF_(q) ^(n), 1≦t≦d}.

When Γ is given to the access structure S, map γ:{1, . . . , L}→{0, 1}for the span program M^:=(M, ρ) is defined as follows. For each integeri=1, . . . , L, set γ(j)=1 if [ρ(i)=(t, v^(→) _(i))]

[(t, x^(→) _(t))εΓ]

[v^(→) _(i)·x^(→) _(t)=0] or [ρ(i)=

(t, v^(→) _(i))]

[(t, x^(→) _(t))εΓ]

[v^(→) _(i)·x^(→) _(t)≠0]. Set γ(j)=0 otherwise.

That is, the map γ is computed based on the inner-product of theattribute information v^(→) and x^(→). As described above, which row ofthe matrix M is to be included in the matrix M_(δ) is determined by themap γ. More specifically, which row of the matrix M is to be included inthe matrix M_(δ) is determined by the inner-product of the attributeinformation v^(→) and x^(→). The access structure S:=(M, ρ) accepts Γ ifand only if 1^(→)ε span<(M_(i))_(γ(i)=1)>.

<3-3. Secret Distribution Scheme>

A secret distribution scheme for the access structure S:=(M, ρ) will bedescribed.

The secret distribution scheme is distributing secret information torender it nonsense distributed information. For example, secretinformation s is distributed into 10 pieces to generate 10 pieces ofdistributed information. Each of the 10 pieces of distributedinformation does not have information on the secret information s.Hence, even when one of the pieces of distributed information isobtained, no information can be obtained on the secret information s. Onthe other hand, if all of the 10 pieces of distributed information areobtained, the secret information s can be recovered.

Another secret distribution scheme is also available according to whichthe secret information s can be recovered if some (for example, 8pieces) of distributed information can be obtained, without obtainingall of the 10 pieces of distributed information. A case like this wherethe secret information s can be recovered using 8 pieces out of 10pieces of distributed information will be called 8-out-of-10. That is, acase where the secret information s can be recovered using t pieces outof n pieces of distributed information will be called t-out-of-n. This twill be called a threshold.

Still another secret distribution scheme is available according to whichwhen 10 pieces of distributed information d₁, . . . , d₁₀ are generated,the secret information s can be recovered with 8 pieces of distributedinformation d₁, . . . , d₈, but the secret information s cannot berecovered with 8 pieces of distributed information d₃, . . . , d₁₀. Inother words, secret distribution schemes include a scheme according towhich whether or not the secret information s can be recovered iscontrolled not only by the number of pieces of distributed informationobtained, but also the combination of distributed information obtained.

FIG. 3 is an explanatory drawing of s₀. FIG. 4 is an explanatory drawingof s^(→T).

Let a matrix M be an (L rows×r columns) matrix. Let f^(→T) be a columnvector indicated in Formula 118.

$\begin{matrix}{{\overset{\rightarrow}{f}}^{T}:={\left( {f_{1},{\ldots\mspace{14mu} f_{r}}} \right)^{T}\overset{U}{\longleftarrow}{??}_{q}^{r}}} & \left\lbrack {{Formula}\mspace{14mu} 118} \right\rbrack\end{matrix}$

Let s₀ indicated in Formula 119 be secret information to be shared.s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T) :=Σk=1^(r) f_(k)  [Formula 119]

Let s^(→T) indicated in Formula 120 be a vector of L pieces ofdistributed information of s₀.{right arrow over (s)} ^(T):=(s ₁ , . . . s _(L))^(T) :=M·{right arrowover (f)} ^(T)  [Formula 120]

Let the distributed information s_(i) belong to ρ(i).

If the access structure S:=(M, ρ) accepts Γ, that is, 1^(→)εspan<(M_(i))_(γ(i)−1)> for γ:{1, . . . , L}→{0, 1}, then there existconstants {α_(i)εF_(q)|iεI} such that I⊂{iε{1, . . . , L}|γ(i)−=1}.

This is obvious from the explanation about the example of FIG. 2 that ifthere exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)=1^(→), thespan program M^ accepts the input sequence δ. That is, if the spanprogram M^ accepts the input sequence δ when there exist α₁, α₂, and α₄with which α₁(M₁)+α₂(M₂)+α₄(M₄)=1^(→), then there exist α₁, α₂, and α₄with which α₁(M₁)+α₂(M₂)+α₄(M₄)=1^(→).

Note Formula 121.Σ_(iεI)α_(i) s _(i) :=s ₀  [Formula 121]

Note that the constants {α_(i)}can be computed in time polynomial in thesize of the matrix M.

With the FPRE scheme according to the following embodiments, an accessstructure is constructed by applying the inner-product predicate and thesecret distribution scheme to the span program, as described above.Therefore, access control can be designed flexibly by designing thematrix M in the span program and the attribute information x and theattribute information v (predicate information) in the inner-productpredicate. That is, access control can be designed very flexibly.Designing of the matrix M corresponds to designing of conditions such asa threshold of the secret distribution scheme.

For example, the attribute-based encryption scheme described abovecorresponds to a case where designing of the inner-product predicate islimited to a certain condition in the access structure in the FPREscheme according to the following embodiments. That is, when compared tothe access structure in the FPRE scheme according to the followingembodiments, the access structure in the attribute-based encryptionscheme has a lower flexibility in access control design because it lacksthe flexibility in designing the attribute information x and theattribute information v (predicate information) in the inner-productpredicate. More specifically, the attribute-based encryption schemecorresponds to a case where attribute information {x^(→)_(t)}_(tε{1, . . . , d}) and {v^(→) _(t)}_(tε{1, . . . , d}) are limitedto two-dimensional vectors for the equality relation, for example, x^(→)_(t):=(1, x_(t)) and v^(→) _(t):=(v_(t), −1).

An inner-product predicate PRE scheme corresponds to a case wheredesigning of the matrix M in the span program is limited to a certaincondition in the access structure in the FPRE scheme according to thefollowing embodiments. That is, when compared to the access structure inthe FPRE scheme according to the following embodiments, the accessstructure in the inner-product predicate encryption scheme has a lowerflexibility in access control design because it lacks the flexibility indesigning the matrix M in the span program. More specifically, theinner-product predicate encryption scheme corresponds to a case wherethe secret distribution scheme is limited to 1-out-of-1 (or d-out-of-d).

In particular, the access structure in the FPRE scheme according to thefollowing embodiments constitutes a non-monotone access structure thatuses a non-monotone span program. Thus, the flexibility in accesscontrol designing improves.

More specifically, since the non-monotone span program includes anegative literal (

p), a negative condition can be set. For example, assume that FirstCompany includes four departments, A, B, C, and D. Assume that accesscontrol is to be performed such that only users belonging to departmentsother than department B of First Company are capable of access (capableof decryption). In this case, if a negative condition cannot be set, acondition that “the user belongs to any one of departments A, C, and Dof First Company” must be set. On the other hand, if a negativecondition can be set, a condition that “the user is an employee of FirstCompany and belongs to a department other than department B” can be set.In other words, since a negative condition can be set, natural conditionsetting is possible. Although the number of departments is small in thiscase, this scheme is very effective in a case where the number ofdepartments is large.

<4. Basic Structure of FPRE Scheme>

<4-1. Basic Structure of CP-FPRE Scheme>

The structure of the CP-FPRE scheme will be briefly described. Note thatCP (ciphertext policy) means that a policy, namely an access structure,is embedded in a ciphertext.

The CP-FPRE scheme consists of seven algorithms: Setup, KG, Enc, RKG,REnc, Dec1, and Dec2.

(Setup)

A Setup algorithm is a probabilistic algorithm that takes as input asecurity parameter λ and an attribute format n^(→):=(d; n₁, . . . ,n_(d); u₁, . . . , u_(d); z₁, . . . , z_(d)), and outputs a publicparameter pk and a master key sk.

(KG)

A KG algorithm is a probabilistic algorithm that takes as input anattribute set Γ:={(t, x^(→) _(t))|x^(→) _(t) εF_(q) ^(nt), 1≦t≦d}, thepublic parameter pk, and the master key sk, and outputs a decryption keysk_(Γ).

(Enc)

An Enc algorithm is a probabilistic algorithm that takes as input amessage m, an access structure S=(M, ρ), and the public parameter pk,and outputs a ciphertext ct_(S).

(RKG)

An RKG algorithm is a probabilistic algorithm that takes as input thedecryption key sk_(Γ), an access structure S′:=(M′, ρ′), and the publicparameter pk, and outputs a re-encryption key rk_((Γ.S′)).

(REnc)

An REnc algorithm is a probabilistic algorithm that takes as input theciphertext ct_(S), the re-encryption key rk_((Γ.S′)), and the publicparameter pk, and outputs a re-encrypted ciphertext CT_(S′).

(Dec1)

A Dec1 algorithm is an algorithm that takes as input the re-encryptedciphertext CT_(S′), the decryption key sk_(Γ′), and the public parameterpk, and outputs the message m or a distinguished symbol ⊥.

(Dec2)

A Dec2 algorithm is an algorithm that takes as input the ciphertextct_(S), the decryption key sk_(Γ), and the public parameter pk, andoutputs the message m or the distinguished symbol ⊥.

<4-2. Cryptographic Processing System 10>

The cryptographic processing system 10 that executes the algorithms ofthe CP-FPRE scheme will be described.

FIG. 5 is a configuration diagram of the cryptographic processing system10 that implements the CP-FPRE scheme.

The cryptographic processing system 10 includes a key generation device100, an encryption device 200, a decryption device 300 (re-encryptionkey generation device), a re-encryption device 400, and a re-encryptedciphertext decryption device 500.

The key generation device 100 executes the Setup algorithm taking asinput a security parameter λ and an attribute format n^(→):=(d; n₁, . .. , n_(d); u₁, . . . , u_(d); z₁, . . . , z_(d)), and thus generates apublic parameter pk and a master key sk.

Then, the key generation device 100 publishes the public parameter pk.The key generation device 100 also executes the KG algorithm taking asinput an attribute set Γ, and thus generates a decryption key sk_(Γ),and transmits the decryption key sk_(Γ) to the decryption device 300 insecrecy. The key generation device 100 also executes the KG algorithmtaking as input an attribute set Γ, and thus generates a decryption keysk_(Γ), and transmits the decryption key sk_(Γ), to the re-encryptedciphertext decryption device 500 in secrecy.

The encryption device 200 executes the Enc algorithm taking as input amessage m, an access structure S, and the public parameter pk, and thusgenerates a ciphertext ct_(S). The encryption device 200 transmits theciphertext ct_(S) to the re-encryption device 400.

The decryption device 300 executes the RKG algorithm taking as input thepublic parameter pk, the decryption key sk_(Γ), and an access structureS′, and thus generates a re-encryption key rk_((Γ.S′)). The decryptiondevice 300 transmits the re-encryption key rk_((Γ.S′)) to there-encryption device in secrecy.

The decryption device 300 also executes the Dec2 algorithm taking asinput the public parameter pk, the decryption key sk_(Γ), and theciphertext ct_(S), and outputs the message m or the distinguished symbol⊥.

The re-encryption device 400 executes the REnc algorithm taking as inputthe public parameter pk, the re-encryption key rk_((Γ.S′)), and theciphertext ct_(S), and thus generates a re-encrypted ciphertext CT_(S′).The re-encryption device 400 transmits the re-encrypted ciphertextCT_(S′) to the re-encrypted ciphertext decryption device 500.

The re-encrypted ciphertext decryption device 500 executes the Dec1algorithm taking as input the public parameter pk, the decryption keysk_(Γ), the re-encrypted ciphertext CT_(S′) and outputs the message m orthe distinguished symbol ⊥.

<4-3. Items Used to Implement CP-FPRE Scheme>

To implement the CP-FPRE scheme, ciphertext-policy functional encryption(CP-FE) and one-time signature are used. Since both are publicly knowntechniques, schemes to be used in the following description will bebriefly described. An example of a CP-FE scheme is discussed in PatentLiterature 1.

The CP-FE scheme consists of four algorithms: Setup_(CP-FE), KG_(CP-FE),EnC_(CP-FE), and Dec_(CP-FE)4.

(Setup_(CP-FE))

A Setup_(CP-FE) algorithm is a probabilistic algorithm that takes asinput a security parameter λ and an attribute format n^(→):=(d; n₁, . .. , n_(d)), and outputs a public parameter pk^(CP-FE) and a master keysk^(CP-FE).

(KG_(CP-FE))

A KG_(CP-FE) algorithm is a probabilistic algorithm that takes as inputan attribute set Γ:={(t, x^(→) _(t))|x^(→) _(t) εF_(q) ^(nt), 1≦t≦d},the public parameter pk^(CP-FE), and the master key sk^(CP-FE), andoutputs a decryption key sk_(Γ) ^(CP-FE).

(Enc_(CP-FE))

An Enc_(CP-FE) algorithm is a probabilistic algorithm that takes asinput a message m, an access structure S=(M, ρ), and the publicparameter pk^(CP-FE), and outputs a ciphertext ψ.

(Dec_(CP-FE))

A Dec_(CP-FE) algorithm is an algorithm that takes as input theciphertext ψ, the decryption key sk_(Γ) ^(CP-FE), and the publicparameter pk^(CP-FE), and outputs the message m or the distinguishedsymbol ⊥.

A one-time signature scheme consists of three algorithms: SigKG, Sig,and Ver.

(SigKG)

A SigKG algorithm is a probabilistic algorithm that takes as input asecurity parameter λ, and outputs a signature key sigk and averification key verk.

(Sig)

A Sig algorithm is a probabilistic algorithm that takes as input thesignature key sigk and a message m, and outputs a signature S.

(Ver)

A Ver algorithm is an algorithm that takes as input the verification keyverk, the message m, and the signature S, and outputs 1 if the signatureS is valid for the verification key verk and the message m and outputs 0if not valid.

<4-4. CP-FPRE Scheme and Cryptographic Processing System 10 in Detail>

With reference to FIG. 6 through FIG. 17, the CP-FPRE scheme will bedescribed, and the function and operation of the cryptographicprocessing system 10 that implements the CP-FPRE scheme will bedescribed.

FIG. 6 is a functional block diagram illustrating the function of thekey generation device 100. FIG. 7 is a functional block diagramillustrating the function of the encryption device 200. FIG. 8 is afunctional block diagram illustrating the function of the decryptiondevice 300. FIG. 9 is a functional block diagram illustrating thefunction of the re-encryption device 400. FIG. 10 is a functional blockdiagram illustrating the function of the re-encrypted ciphertextdecryption device 500.

FIGS. 11 and 12 are flowcharts illustrating the operation of the keygeneration device 100. FIG. 11 is a flowchart illustrating the processof the Setup algorithm, and the FIG. 12 is a flowchart illustrating theprocess of the KG algorithm. FIG. 13 is a flowchart illustrating theoperation of the encryption device 200 and illustrating the process ofthe Enc algorithm. FIG. 14 is a flowchart illustrating the operation ofthe decryption device 300 and illustrating the process of the RKGalgorithm. FIG. 15 is a flowchart illustrating the operation of there-encryption device 400 and illustrating the process of the REncalgorithm. FIG. 16 is a flowchart illustrating the operation of there-encrypted ciphertext decryption device 500 and illustrating theprocess of the Dec1 algorithm. FIG. 17 is a flowchart illustrating theoperation of the decryption device 300 and illustrating the process ofthe Dec2 algorithm.

The function and operation of the key generation device 100 will bedescribed.

The key generation device 100 includes a master key generation part 110,a master key storage part 120, an information input part 130, adecryption key generation part 140, and a key transmission part 150. Thedecryption key generation part 140 includes a CP-FE key generation part141, a random number generation part 142, and a decryption key k*generation part 143.

With reference to FIG. 11, the process of the Setup algorithm will bedescribed.

(S101: Orthonormal Basis Generation Step)

Using the processing device, the master key generation part 110 computesFormula 122, and thus generates a parameter param_(n→), a basis B₀ and abasis B*₀, and a basis B_(t) and a basis B*_(t).

$\begin{matrix}{\mspace{79mu}{{{(1)\mspace{14mu}{input}\mspace{14mu} 1^{\lambda}},\overset{\rightarrow}{n}}\mspace{79mu}{{(2)\mspace{14mu}{param}_{??}}:={\left( {q,{??},{??}_{T},g,e} \right)\overset{R}{\longleftarrow}{{??}_{bpg}\left( 1^{\lambda} \right)}}}{{{(3)\mspace{14mu} N_{0}}:=7},{N_{t}:={{n_{t} + u_{t} + z_{t} + {1\mspace{14mu}{for}\mspace{14mu} t}} = 1}},\ldots\mspace{14mu},d,\mspace{79mu}{\psi\overset{U}{\longleftarrow}{??}_{q}^{\times}},{g_{T}:={e\left( {g,g} \right)}^{\psi}}}}} & \left\lbrack {{Formula}\mspace{14mu} 122} \right\rbrack\end{matrix}$The process of (4) through (7) is executed for each integer t=0, . . . ,d.

${{(4)\mspace{14mu}{param}_{{??}_{t}}}:={\left( {q,{??},{??}_{T},{??}_{T},e} \right)\overset{R}{\longleftarrow}{{??}_{dpvs}\left( {1^{\lambda},N_{t},{param}_{??}} \right)}}},{{(5)\mspace{14mu} X_{t}} = {\begin{pmatrix}{\overset{\rightarrow}{\chi}}_{t,1} \\\vdots \\{\overset{\rightarrow}{\chi}}_{t,N_{t}}\end{pmatrix}:={\left( \chi_{t,i,j} \right)_{i,j}\overset{U}{\longleftarrow}{{GL}\left( {N_{t},{??}_{q}} \right)}}}},{{(6)\mspace{14mu}\begin{pmatrix}{\overset{\rightarrow}{v}}_{t,1} \\\vdots \\{\overset{\rightarrow}{v}}_{t,N_{t}}\end{pmatrix}}:={\left( v_{t,i,j} \right)_{i,j}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}}},{{(7)\mspace{14mu} b_{t.i}}:={\sum\limits_{j = 1}^{N_{t}}{\chi_{t,i,j}a_{t,j}}}},{{??}_{t}:=\left( {b_{t{.1}},\ldots\mspace{14mu},b_{t.N_{t}}} \right)},\mspace{40mu}{b_{t.i}^{*}:={\sum\limits_{j = 1}^{N_{t}}{v_{t,i,j}a_{t,j}}}},{{??}_{t}^{*}:=\left( {b_{t{.1}}^{*},\ldots\mspace{14mu},b_{t.N_{t}}^{*}} \right)},{{(8)\mspace{14mu}{param}_{\overset{\rightarrow}{n}}}:=\left( {\left\{ {param}_{{??}_{t}} \right\}_{{t = 0},\;\ldots\mspace{11mu},d},g_{T}} \right)}$

That is, the master key generation part 110 executes the followingprocess.

-   -   (1) Using the input device, the master key generation part 110        takes as input a security parameter λ(1^(λ)) and an attribute        format n^(→):=(d; n₁, . . . , n_(d); u₁, . . . , u_(d); z₁, . .        . , z_(d)). Note that d is an integer of 1 or more, and that        n_(t) is an integer of 1 or more, and u_(t) and z_(t) are        integers of 0 or more, for each integer t=1, . . . , d.

(2) Using the processing device, the master key generation part 110executes the algorithm G_(bpg) taking as input the security parameter λinputted in (1), and thus generates values of a parameter param_(G):=(q,G, G_(T), g, e) of bilinear pairing groups.

(3) The master key generation part 110 sets 7 in N₀ and setsn_(t)+u_(t)+z_(t)+1 in N_(t) for each integer t=1, . . . , d. The masterkey generation part 110 also generates a random number ψ. The master keygeneration part 110 also sets e(G, G)^(ψ) in g_(T).

Then, the master key generation part 110 executes the following process(4) through (7) for each integer t=0, . . . , d.

-   -   (4) The master key generation part 110 executes the algorithm        G_(dpvs) taking as input the security parameter λ (1^(λ))        inputted in (1), N_(t) set in (3), and the values of        param_(G):=(q, G, G_(T), g, e) generated in (2), and thus        generates values of a parameter param_(Vt):=(q, V_(t), G_(T),        A_(t), e) of dual pairing vector spaces.

(5) The master key generation part 110 takes as input N_(t) set in (3)and F_(q), and randomly generates a linear transformationX_(t):=(χ_(t,i,j))_(i,j). Note that GL stands for general linear. Inother words, GL is a general linear group, a set of square matrices withnonzero determinants, and a group under multiplication. Note that(χ_(t,i,j))_(i,j) denotes a matrix concerning the suffixes i and j ofthe matrix χ_(t,i,j), where i, j=1, . . . , N_(t).

(6) Based on the random number ψ and the linear transformation X_(t),the master key generation part 110 generates (ν_(t,i,j))_(i,j):=ψ·(X_(t)^(T))⁻¹. Like (χ_(t,i,j))_(i,j), (ν_(t,i,j))_(i,j) denotes a matrixconcerning the suffixes i and j of the matrix ν_(t,i,j,) where i, j=1, .. . , N_(t).

(7) Based on the linear transformation X_(t) generated in (5), themaster key generation part 110 generates a basis B_(t) from theorthonormal basis A_(t) generated in (4). Based on (ν_(t,i,j))_(i,j)generated in (6), the master key generation part 110 generates a basisB*_(t) from the orthonormal basis A_(t) generated in (4).

(8) The master key generation part 110 sets{param_(Vt)}_(t=0, . . . , d) generated in (4) and g_(T) in param_(n→).

(S102: CP-FE Master Key Generation Step)

Using the processing device, the master key generation part 110 computesFormula 123, and thus generates a public parameter pk^(CP-FE) and amaster key sk^(CP-FE) of functional encryption.

$\begin{matrix}{\left( {{p\; k^{{CP} - {FE}}},{sk}^{{CP} - {FE}}} \right)\overset{R}{\longleftarrow}{{Setup}_{{CP} - {FE}}\left( {1^{\lambda},\overset{\rightarrow}{n}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 123} \right\rbrack\end{matrix}$

(S103: Public Parameter Generation Step)

Using the processing device, the master key generation part 110generates a subbasis B^₀ of the basis B₀ and a subbasis B^_(t) of thebasis B_(t), as indicated in Formula 124.

₀:=(b _(0.1) ,b _(0.2) ,b _(0.3) ,b _(0.4) ,b _(0.7)),

_(t):=(b _(t.1) , . . . ,b _(t.n) _(t) ,b _(t.N) _(t) ) for t=1, . . .,d  [Formula 124]

The master key generation part 110 generates a public parameter pk byputting together the public parameter pk^(CP-FE), the security parameterλ, param_(n→), the subbasis B^₀ and the subbasis B^_(t), basis vectorsb*_(0.2), b*_(0.3), b*_(0.4), and b*_(0.6), and basis vectors b*_(t.1),. . . , b*_(t.nt), b*_(t.nt+ut+1), . . . , and b*_(t.nt+ut+z) for eachinteger t=1, . . . , d.

(S104: Master Key Generation Step)

The master key generation part 110 generates a subbasis B^*₀ of thebasis B*₀ generated in (S101), as indicated in Formula 125.

*₀:=(b* _(0.1) ,b* _(0.2) ,b* _(0.3) ,b* _(0.4) ,b* _(0.7)),

*_(t):=(b* _(t.1) , . . . ,b* _(t.n) _(t) ,b* _(t.N) _(t) ) for t=1, . .. ,d  [Formula 125]

The master key generation part 110 generates a master key sk which isconstituted by the master key sk^(CP-FE) and a basis vector b*_(0.1).

(S105: Master Key Storage Step)

The master key storage part 120 stores the public parameter pk generatedin (S103) in the storage device. The master key storage part 120 alsostores the master key sk generated in (S104) in the storage device.

In brief, in (S101) through (S104), the key generation device 100generates the public parameter pk and the master key sk by executing theSetup algorithm indicated in Formula 126-1 and Formula 126-2. In (S105),the key generation device 100 stores the generated public parameter pkand master key sk in the storage device.

The public parameter is published, for example, via the network, and ismade available for the encryption device 200, the decryption device 300,the re-encryption device 400, and the re-encrypted ciphertext decryptiondevice 500.

$\begin{matrix}{{{{{Setup}\left( {1^{\lambda},{\overset{\rightarrow}{n} = \left( {{d;n_{1}},\ldots\mspace{14mu},{n_{d};u_{1}},\ldots\mspace{14mu},{u_{d};z_{1}},\ldots\mspace{14mu},z_{d}} \right)}} \right)}:\mspace{20mu}{param}_{??}}:={\left( {q,{??},{??}_{T},g,e} \right)\overset{R}{\leftarrow}{{??}_{bpg}\left( 1^{\lambda} \right)}}},\mspace{20mu}{N_{0}:=7},\mspace{20mu}{N_{t}:={{n_{t} + u_{t} + z_{t} + {1\mspace{14mu}{for}\mspace{14mu} t}} = 1}},\ldots\mspace{14mu},d,\mspace{20mu}{\psi\overset{U}{\longleftarrow}{??}_{q}^{x}},{g_{T}:={e\left( {g,g} \right)}^{\psi}},\mspace{20mu}{{{for}\mspace{14mu} t} = 0},\ldots\mspace{14mu},d,{{parm}_{{??}_{t}}:={\left( {q,{??},{??}_{T},{??}_{T},e} \right)\overset{R}{\longleftarrow}{{??}_{dpvs}\left( {1^{\lambda},N_{t},{param}_{??}} \right)}}},\mspace{20mu}{X_{t} = {\begin{pmatrix}{{\overset{\rightarrow}{\chi}}_{t},1} \\\vdots \\{{\overset{\rightarrow}{\chi}}_{t},N_{t}}\end{pmatrix}:={\left( \chi_{t,i,j} \right)_{i,j}\overset{U}{\longleftarrow}{{GL}\left( {N_{t},{??}_{q}} \right)}}}},\mspace{20mu}{\begin{pmatrix}{{\overset{\rightarrow}{v}}_{t},1} \\\vdots \\{{\overset{\rightarrow}{v}}_{t},N_{t}}\end{pmatrix}:={\left( v_{t,i,j} \right)_{i,j}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}}},} & \left\lbrack {{Formula}\mspace{14mu} 126\text{-}1} \right\rbrack \\{\mspace{79mu}{{{{b_{t.i}:={\sum\limits_{j = 1}^{N_{t}}\;{\chi_{t,i,j}a_{t,j}}}},{{??}_{t}:=\left( {b_{t{.1}},\ldots\mspace{14mu},b_{t.N_{t}}} \right)},\mspace{20mu}{b_{t.i}^{*}:={\sum\limits_{j = 1}^{N_{t}}\;{v_{t,i,j}a_{t,j}}}},{{??}_{t}^{*}:=\left( {b_{t{.1}}^{*},\ldots\mspace{14mu},b_{t.N_{t}}^{*}} \right)},\mspace{20mu}{\left( {{pk}^{{CP} - {FE}},{sk}^{{CP} - {FE}}} \right)\overset{R}{\longleftarrow}{{Setup}_{{CP} - {FE}}\left( {1^{\lambda},\overset{\rightarrow}{n}} \right)}}}\mspace{20mu}{{{\hat{??}}_{0}:=\left( {b_{0.1},b_{0.2},b_{0.3},b_{0.4},b_{0.7}} \right)},\mspace{79mu}{{\hat{??}}_{t}:={{\left( {b_{t{.1}},\ldots\mspace{14mu},b_{t.n_{t}},b_{t.N_{t}}} \right)\mspace{14mu}{for}\mspace{14mu} t} = 1}},\ldots\mspace{14mu},d,\mspace{79mu}{{\hat{??}}_{0}^{*}:=\left( {b_{0.1}^{*},b_{0.2}^{*},b_{0.3}^{*},b_{0.4}^{*},b_{0.6}^{*}} \right)},\mspace{34mu}{{\hat{??}}_{t}^{*}:=\left( {b_{t{.1}}^{*},\ldots\mspace{14mu},b_{t.n_{t}}^{*},b_{{t.n_{t}} + u_{t} + 1}^{*},\ldots\mspace{14mu},b_{{t.n_{t}} + u_{t} + z_{t}}^{*}} \right)}}}\mspace{20mu}{{{{for}\mspace{14mu} t} = 1},\ldots\mspace{14mu},d,\mspace{20mu}{{param}_{\overset{\rightarrow}{n}}:=\left( {\left\{ {param}_{{??}_{t}} \right\}_{{t = 0},\ldots\mspace{14mu},d},g_{T}} \right)},{{pk}:=\left( {{pk}^{{CP} - {FE}},1^{\lambda},{param}_{\overset{\rightarrow}{n}},\left\{ {\hat{??}}_{t} \right\}_{{t = 0},\ldots\mspace{14mu},d},b_{0.2}^{*},b_{0.3}^{*},b_{0.4}^{*},b_{0.6}^{*},{{\left\{ {b_{t{.1}}^{*},\ldots\mspace{14mu},b_{t.n_{t}}^{*},b_{{t.n_{t}} + u_{t} + 1}^{*},\ldots\mspace{14mu},b_{{t.n_{t}} + u_{t} + z_{t}}^{*}} \right\} t} = 1},\ldots\mspace{14mu},d} \right)},\mspace{20mu}{{sk}:=\left( {{sk}^{{CP} - {FE}},{\hat{??}}_{0}^{*}} \right)},\mspace{20mu}{{return}\mspace{14mu}{pk}},{{sk}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 126\text{-}2} \right\rbrack\end{matrix}$

With reference to FIG. 12, the process of the KG algorithm will bedescribed.

(S201: Information Input Step)

Using the input device, the information input part 130 takes as input anattribute set Γ:={(t, x^(→) _(t):=(x_(t.1), . . . , x_(t.nt)εF_(q)^(nt)\{0^(→)}))| 1≦t≦d}. Note that t may be at least some of integersfrom 1 to d, instead of being all of integers from 1 to d. Also notethat attribute information of a user of a decryption key sk_(Γ) is setin the attribute set Γ, for example.

(S202: CP-FE Decryption Key Generation Step)

Using the processing device, the CP-FE key generation part 141 computesFormula 127, and thus generates a decryption key sk_(Γ) ^(CP-FE) offunctional encryption.

$\begin{matrix}{{sk}_{\Gamma}^{{CP} - {FE}}\overset{R}{\longleftarrow}{{KG}_{{CP} - {FE}}\left( {{pk}^{{CP} - {FE}},{sk}^{{CP} - {FE}},\Gamma} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 127} \right\rbrack\end{matrix}$

(S203: Random Number Generation Step)

Using the processing device, the random number generation part 142generates random numbers, as indicated in Formula 128.

$\begin{matrix}{\delta,{\varphi\overset{U}{\longleftarrow}{??}_{q}},{{{{\overset{\rightarrow}{\varphi}}_{t}\overset{U}{\longleftarrow}{??}_{q}^{z_{t}}}\mspace{14mu}{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 128} \right\rbrack\end{matrix}$

(S204: Decryption Key k* Generation Step)

Using the processing device, the decryption key k* generation part 143generates a decryption key k*₀, as indicated in Formula 129.k* ₀:=(1,δ,0,0,0,φ,0

  [Formula 129]

For the basis B and the basis B* indicated in Formula 110, Formula 111is established. Thus, Formula 129 means that 1 is set as the coefficientof the basis vector b*_(0.1) of the basis B*₀, δ is set as thecoefficient of the basis vector b*_(0.2), 0 is set as the coefficient ofeach of the basis vectors b*_(0.3), . . . , b*_(0.5), φ is set as thecoefficient of the basis vector b*_(0.6), and 0 is set as thecoefficient of the basis vector b*_(0.7).

Using the processing device, the decryption key k* generation part 143generates a decryption key k*_(t) for each integer t included in theattribute set Γ, as indicated in Formula 130.

$\begin{matrix}{{k_{t}^{*}:=\begin{pmatrix}\overset{\overset{n_{t}}{︷}}{{\delta\;{\overset{\rightarrow}{x}}_{t}},} & \overset{\overset{u_{t}}{︷}}{0^{u_{t}},} & \overset{\overset{z_{t}}{︷}}{{\overset{\rightarrow}{\varphi}}_{t},} & \overset{\overset{1}{︷}}{0}\end{pmatrix}_{{??}_{t}^{*}}},{{{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 130} \right\rbrack\end{matrix}$

In Formula 130, δx_(t.1) , . . . , δx _(t.nt) are respectively set asthe coefficient of the basis vectors b*_(t.1), . . . , b*_(t.nt) of thebasis B*_(t), 0 is set as the coefficient of each of the basis vectorsb*_(t.nt)+, . . . , b*_(t.nt+ut), φ_(t.1), . . . , φ_(t.zt) arerespectively set as the coefficient of the basis vectors b*_(t.nt+ut+1),. . . , b*_(t.nt+ut+zt), and 0 is set as the coefficient of the basisvector b_(t.nt+ut+zt+1).

(S205: Key Transmission Step)

Using the communication device and via the network, for example, the keytransmission part 150 transmits the decryption key sk_(Γ) having, aselements, the decryption key sk_(Γ) ^(CP-FE) of functional encryption,the attribute set Γ, and the decryption keys k*₀ and k*_(t) to thedecryption device 300 in secrecy. As a matter of course, the decryptionkey sk_(Γ) may be transmitted to the decryption device 300 by anothermethod.

In brief, in (S201) through (S204), the key generation device 100generates the decryption key sk_(Γ) by executing the KG algorithmindicated in Formula 131. In (S205), the key generation device 100transmits the decryption key sk_(Γ) to the decryption device 300.

$\begin{matrix}{{KG}\left( {{p\; k},{sk},{\Gamma = {\left( \left\{ {{\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)❘{{\overset{\rightarrow}{x}}_{t} \in {{??}_{q}^{n_{t}} \smallsetminus \left\{ \overset{\rightarrow}{0} \right\}}}},{1 \leq t \leq d}} \right\} \right):\mspace{79mu}{{{sk}_{\Gamma}^{{CP} - {FE}}\overset{R}{\longleftarrow}{{KG}_{{CP} - {FE}}\left( {{p\; k^{{CP} - {FE}}},{sk}^{{CP} - {FE}},\Gamma} \right)}}\mspace{79mu}\delta}}},{\varphi\overset{U}{\longleftarrow}{??}_{q}},{{{{{\overset{\rightarrow}{\varphi}}_{t}\overset{U}{\longleftarrow}{??}_{q}^{z_{t}}}\mspace{14mu}{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {\Gamma\mspace{79mu} k_{0}^{*}}}:=\left( {1,\delta,0,0,0,\varphi,0} \right)_{{??}_{0}^{*}}},\mspace{79mu}{k_{t}^{*}:=\begin{pmatrix}\overset{\overset{n_{t}}{︷}}{{\delta\;{\overset{\rightarrow}{x}}_{t}},} & \overset{\overset{u_{t}}{︷}}{0^{u_{t}},} & \overset{\overset{z_{t}}{︷}}{{\overset{\rightarrow}{\varphi}}_{t},} & \overset{\overset{1}{︷}}{0}\end{pmatrix}_{{??}_{t}^{*}}},{{{{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {\Gamma\mspace{79mu}{sk}_{\Gamma}}}:=\left( {{sk}_{\Gamma}^{{CP} - {FE}},\Gamma,k_{0}^{*},\left\{ k_{t}^{*} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \;\Gamma}} \right)},\mspace{79mu}{{returm}\mspace{14mu}{{sk}_{\Gamma}.}}} \right.} & \left\lbrack {{Formula}\mspace{14mu} 131} \right\rbrack\end{matrix}$

In (S201), the key generation device 100 generates a decryption keysk_(Γ) by executing the KG algorithm taking as input an attribute setΓ′:={(t, x′^(→) _(t):=(x→^(→) _(t.1), . . . , x→^(→) _(t.nt) δF_(q)^(nt)\{0^(→)}))|1≦t≦d} in which attribute information Γ′:={(t, x′^(→)_(t):=(x→^(→) _(t.1), . . . , x′_(t.nt) εF_(q) ^(nt)\{0^(→)}))|1≦t≦d} ofa user of the decryption key sk_(Γ) is set. Then, the key generationdevice 100 transmits the decryption key sk_(Γ):=(sk_(Γ) ^(CP-FE), Γ′,k′*₀, {k′*_(t)}_((t, x→t)εΓ′)) to the re-encrypted ciphertext decryptiondevice 500.

The function and operation of the encryption device 200 will bedescribed.

The encryption device 200 includes a public parameter receiving part210, an information input part 220, a signature processing part 230, anencryption part 240, and a ciphertext transmission part 250. Theencryption part 240 includes an f vector generation part 241, an svector generation part 242, a random number generation part 243, and aciphertext c^(enc) generation part 244.

With reference to FIG. 13, the process of the Enc algorithm will bedescribed.

(S301: Public Parameter Receiving Step)

Using the communication device and via the network, for example, thepublic parameter receiving part 210 receives the public parameter pkgenerated by the key generation device 100.

(S302: Information Input Step)

Using the input device, the information input part 220 takes as input anaccess structure S:=(M, ρ). Note that the access structure S is to beset according to the conditions of a system to be implemented, and thatattribute information of a user capable of decrypting a ciphertextct_(S) is set in ρ of the access structure S, for example. Note thatρ(i)=(t, v^(→) _(i):=(v_(i.1), . . . , v_(i.nt))εF_(q) ^(nt)\{0^(→)})(v_(i.nt)≠0).

Using the input device, the information input part 220 also takes asinput a message m to be transmitted to the decryption device 300.

(S303: Signature Key Generation Step)

Using the processing device, the signature processing part 230 computesFormula 132, and thus generates a signature key sigk and a verificationkey verk of one-time signature.

$\begin{matrix}{\left( {{sigk},{verk}} \right)\overset{R}{\longleftarrow}{{SigKG}\left( 1^{\lambda} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 132} \right\rbrack\end{matrix}$

(S304: f Vector Generation Step)

Using the processing device, the f vector generation part 241 randomlygenerates a vector f having r pieces of elements, as indicated inFormula 133.

$\begin{matrix}{\overset{\rightarrow}{f}\overset{U}{\longleftarrow}{??}_{q}^{r}} & \left\lbrack {{Formula}\mspace{14mu} 133} \right\rbrack\end{matrix}$

(S305: s Vector Generation Step)

Using the processing device and based on the (L rows×r columns) matrix Mincluded in the access structure S and the vector f^(→), the s vectorgeneration part 242 generates a vector s^(→T), as indicated in Formula134.{right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrowover (f)} ^(T)  [Formula 134]Using the processing device and based on the vector f^(→), the s vectorgeneration part 242 also generates a value so, as indicated in Formula135.s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 135]

(S306: Random Number Generation Step)

Using the processing device, the random number generation part 243generates random numbers, as indicated in Formula 136.

$\begin{matrix}{\rho,\eta,{\zeta\overset{U}{\longleftarrow}{??}_{q}},\theta_{i},{{{\eta_{i}\overset{U}{\longleftarrow}{??}_{q}}\mspace{14mu}{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L} & \left\lbrack {{Formula}\mspace{14mu} 136} \right\rbrack\end{matrix}$

(S307: Ciphertext c^(enc) Generation Step)

Using the processing device, the ciphertext c^(enc) generation part 244generates a ciphertext c^(enc) ₀, as indicated in Formula 137.c ₀ ^(enc):=(ζ,−s ₀,ρ(verk,1),0,0,η

  [Formula 137]Using the processing device, the ciphertext c^(enc) generation part 244also generates a ciphertext c^(enc) _(i) for each integer i=1, . . . ,L, as indicated in Formula 138.

$\begin{matrix}{\mspace{79mu}{{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L}{{{{if}\mspace{14mu}{\rho(i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots\mspace{14mu},v_{i.n_{t}}} \right) \in {{??}_{q}^{n_{t}} \smallsetminus \left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i,n_{t}} \neq 0} \right)}},\mspace{79mu}{c_{i}^{enc}:=\begin{pmatrix}\overset{\overset{n_{t}}{︷}}{{{s_{i}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},} & \overset{\overset{u_{t}}{︷}}{0^{u_{t}},} & \overset{\overset{z_{t}}{︷}}{0^{z_{t}},} & \overset{\overset{1}{︷}}{\eta_{i}}\end{pmatrix}_{{??}_{t}}},\mspace{79mu}{{{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{79mu}{c_{i}^{enc}:=\begin{pmatrix}\overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{\rightarrow}{v}}_{i}},} & \overset{\overset{u_{t}}{︷}}{0^{u_{t}},} & \overset{\overset{z_{t}}{︷}}{0^{z_{t}},} & \overset{\overset{1}{︷}}{\eta_{i}}\end{pmatrix}_{{??}_{t}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 138} \right\rbrack\end{matrix}$Using the processing device, the ciphertext c^(enc) generation part 244also generates a ciphertext c^(enc) _(d+1), as indicated in Formula 139.c _(d+1) ^(enc) =m·g _(T) ^(ζ)  [Formula 139]

(S308: Signature Generation Step)

Using the processing device, the signature processing part 230 computesFormula 140, and thus generates a signature Sig for an element C:=(S,{c^(enc) _(i)}_(i=0, . . . , L), c^(enc) _(d+1)) of the ciphertextct_(S).

$\begin{matrix}{{Sig}\overset{R}{\longleftarrow}{{Sig}\left( {{sigk},{C = \left( {{??},\left\{ c_{i}^{enc} \right\}_{{i = 0},\mspace{11mu}{\ldots\mspace{11mu} L}},c_{d + 1}^{enc}} \right)}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 140} \right\rbrack\end{matrix}$

(S309: Ciphertext Transmission Step)

Using the communication device and via the network, for example, theciphertext transmission part 250 transmits the ciphertext ct_(S) having,as elements, the access structure S, the ciphertexts c^(enc) ₀, c^(enc)₁, . . . , c^(enc) _(L), and c^(enc) _(d+1), the verification key verk,and the signature Sig to the decryption device 300. As a matter ofcourse, the ciphertext ct_(S) may be transmitted to the decryptiondevice 300 by another method.

In brief, in (S301) through (S308), the encryption device 200 generatesthe ciphertext ct_(S) by executing the Enc algorithm indicated inFormula 141. In (S309), the encryption device 200 transmits thegenerated ciphertext ct_(S) to the decryption device 300.

$\begin{matrix}{\mspace{79mu}{{{{Enc}\left( {{p\; k},m,{{??} = \left( {M,\rho} \right)}} \right)}\text{:}}\mspace{79mu}{\left( {{sigk},{verk}} \right)\overset{R}{\longleftarrow}{{SigKG}\left( 1^{\lambda} \right)}}\mspace{79mu}{{\overset{\rightarrow}{f}\overset{U}{\longleftarrow}{??}_{q}^{r}},{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\ldots\mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},\mspace{79mu}{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},\mspace{79mu}\rho,\eta,{\zeta\overset{U}{\longleftarrow}{??}_{q}},\mspace{79mu}{c_{0}^{enc}:=\left( {\zeta,{- s_{0}},{\rho\left( {{verk},1} \right)},0,0,\eta} \right)_{{??}_{0}}},\mspace{79mu}{{{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L}{{{{if}\mspace{14mu}{\rho(i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots\mspace{14mu},v_{i.n_{t}}} \right) \in {{??}_{q}^{n_{t}} \smallsetminus \left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i,n_{t}} \neq 0} \right)}},\mspace{79mu}\theta_{i},{\eta_{i}\overset{U}{\longleftarrow}{??}_{q}},\mspace{85mu}{c_{i}^{enc}:=\begin{pmatrix}\overset{\overset{n_{t}}{︷}}{{{s_{i}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},} & \overset{\overset{u_{t}}{︷}}{0^{u_{t}},} & \overset{\overset{z_{t}}{︷}}{0^{z_{t}},} & \overset{\overset{1}{︷}}{\eta_{i}}\end{pmatrix}_{{??}_{t}}},\mspace{79mu}{{{if}\mspace{14mu}\rho(i)} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{79mu}{\eta_{i}\overset{U}{\longleftarrow}{??}_{q}},\mspace{85mu}{c_{i}^{enc}:=\begin{pmatrix}\overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{\rightarrow}{v}}_{i}},} & \overset{\overset{u_{t}}{︷}}{0^{u_{t}},} & \overset{\overset{z_{t}}{︷}}{0^{z_{t}},} & \overset{\overset{1}{︷}}{\eta_{i}}\end{pmatrix}_{{??}_{t}}},\mspace{79mu}{c_{d + 1}^{enc} = {m \cdot g_{T}^{\zeta}}},\mspace{79mu}{{Sig}\overset{R}{\longleftarrow}{{Sig}\left( {{sigk},{C = \left( {{??},\left\{ c_{i}^{enc} \right\}_{{i = 0},\mspace{11mu}{\ldots\mspace{11mu} L}},c_{d + 1}^{enc}} \right)}} \right)}}}\mspace{79mu}{{{ct}_{??} = \left( {{??},\left\{ c_{i}^{enc} \right\}_{{i = 0},\mspace{11mu}\ldots\mspace{11mu},\; L},c_{d + 1}^{enc},{verk},{Sig}} \right)},\mspace{79mu}{{return}\mspace{14mu}{{ct}_{??}.}}}}} & \left\lbrack {{Formula}\mspace{14mu} 141} \right\rbrack\end{matrix}$

The function and operation of the decryption device 300 will bedescribed.

The decryption device 300 includes a decryption key receiving part 310,an information input part 320, a re-encryption key generation part 330,a re-encryption key transmission part 340, a ciphertext receiving part350, a verification part 360, a complementary coefficient computationpart 370, a pairing operation part 380, and a message computation part390. The re-encryption key generation part 330 includes a random numbergeneration part 331, a conversion information W₁ generation part 332, aconversion information W₁ encryption part 333, a decryption key k*^(rk)generation part 334, and a conversion part 335. The verification part360 includes a span program computation part 361 and a signatureverification part 362.

With reference to FIG. 14, the process of the RKG algorithm will bedescribed. The Dec2 algorithm will be described later.

(S401: Decryption Key Receiving Step)

Using the communication device and via the network, for example, thedecryption key receiving part 310 receives the decryption key sk_(Γ)transmitted by the key generation device 100. The decryption keyreceiving part 310 also receives the public parameter pk generated bythe key generation device 100.

(S402: Information Input step)

Using the input device, the information input part 320 takes as input anaccess structure S′:=(M′, ρ′). Note that the access structure S′ is tobe set according to the conditions of a system to be implemented, andthat attribute information of a user capable of decrypting are-encrypted ciphertext CT_(S′) is set in ρ′ of the access structure S′,for example. Note that ρ′(i)=(t,v^(→)′_(i):=(v′_(i.1), . . .,v′_(i.nt))εF_(q) ^(nt)\{0^(→)})(v′_(i,nt)≠0).

(S403: Random Number Generation Step)

Using the processing device, the random number generation part 331generates random numbers, as indicated in Formula 142.

$\begin{matrix}{\delta^{\prime},{\varphi^{\prime}\overset{U}{\longleftarrow}{??}_{q}},{{{{\overset{\rightarrow}{\varphi}}_{t}^{\prime}\overset{U}{\longleftarrow}{??}_{q}^{z_{t}}}\mspace{14mu}{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 142} \right\rbrack\end{matrix}$

(S404: Conversion Information W₁ Generation Step)

Using the processing device, the conversion information W₁ generationpart 332 generates conversion information W₁, as indicated in Formula143.

$\begin{matrix}{W_{1}\overset{R}{\longleftarrow}{{GL}\left( {7,{??}_{q}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 143} \right\rbrack\end{matrix}$

(S405: Conversion Information W₁ Encryption Step)

Using the processing device, the conversion information W₁ encryptionpart 333 computes Formula 144, and thus encrypts the conversioninformation W₁ with functional encryption and generates encryptedconversion information ψ^(rk). Since the conversion information W₁ isencrypted with functional encryption on input of the access structureS′, the conversion information W₁ is encrypted with the attributeinformation of the user capable of decrypting the re-encryptedciphertext CT_(S′) being set.

$\begin{matrix}{\psi^{rk}\overset{R}{\longleftarrow}{{Enc}_{{CP} - {FE}}\left( {{p\; k^{{CP} - {FE}}},{??}^{\prime},W_{1}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 144} \right\rbrack\end{matrix}$

(S406: Decryption Key k*^(rk) Generation Step)

Using the processing device, the decryption key k*^(rk) generation part334 generates a decryption key k*^(rk) ₀, as indicated in Formula 145.k* ₀ ^(rk):=(k* ₀+(0,δ′,0,0,0,ρ′,0

)W ₁  [Formula 145]

Using the processing device, the decryption key k*^(rk) generation part334 also generates a decryption key k*^(rk) _(t) for each integer tincluded in the attribute set Γ, as indicated in Formula 146.

$\begin{matrix}{{k_{t}^{*{rk}}:={k_{t}^{*} + \begin{pmatrix}\overset{\overset{n_{t}}{︷}}{{\delta^{\prime}{\overset{\rightarrow}{x}}_{t}},} & \overset{\overset{u_{t}}{︷}}{0^{u_{t}},} & \overset{\overset{z_{t}}{︷}}{{\overset{\rightarrow}{\varphi}}_{t}^{\prime},} & \overset{\overset{1}{︷}}{0}\end{pmatrix}_{{??}_{t}^{*}}}},{{{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 146} \right\rbrack\end{matrix}$

(S407: Conversion Step)

Using the processing device, the conversion part 335 computes Formula147, and thus generates a basis D^(^*) ₀.d* _(0.i) :=b* _(0.i) ,W ₁ for i=2,3,4,6,

*₀:=(d* _(0.2) ,d* _(0.3) ,d* _(0.4) ,d* _(0.6))  [Formula 147]

(S408: Key Transmission Step)

Using the communication device and via the network, for example, there-encryption key transmission part 340 transmits the re-encryption keyrk_((Γ.S′)) having, as elements, the attribute set Γ, the accessstructure S′, the decryption keys k*^(rk) ₀ and k*^(rk) _(t), theencrypted conversion information ψ^(rk), and the basis D^(^*) ₀ to there-encryption device 400 in secrecy. As a matter of course, there-encryption key rk_((Γ.S′)) may be transmitted to the re-encryptiondevice 400 by another method.

In brief, in (S401) through (S407), the decryption device 300 generatesthe re-encryption key rk_((Γ.S′)) by executing the RKG algorithmindicated in Formula 148. In (S408), the decryption device 300 transmitsthe generated re-encryption key rk_((Γ.S′)) to the re-encryption device400.

$\begin{matrix}{{{{RKG}\left( {{pk},{{sk}_{\Gamma} = \left( {{sk}_{\Gamma}^{{CP}\text{-}{FE}},\Gamma,k_{0}^{*},\left\{ k_{t}^{*} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma}} \right)},{{??}^{\prime} = \left( {M^{\prime},\rho^{\prime}} \right)}} \right)}\text{:}}\delta^{\prime},{\varphi^{\prime}\overset{U}{\leftarrow}{??}_{q}},{{{\overset{\rightarrow}{\varphi}}_{t}^{\prime}\overset{U}{\leftarrow}{{??}_{q}^{z_{t}}\mspace{14mu}{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)}} \in \Gamma},{W_{1}\overset{R}{\leftarrow}{{GL}\left( {7,{??}_{q}} \right)}},{\psi^{rk}\overset{R}{\leftarrow}{{Enc}_{{CP}\text{-}{FE}}\left( {{pk}^{{CP}\text{-}{FE}},{??}^{\prime},W_{1}} \right)}},{k_{0}^{*{rk}}:={\left( {k_{0}^{*} + \left( {0,\delta^{\prime},0,0,0,\varphi^{\prime},0} \right)_{{??}_{0}^{*}}} \right)W_{1}}},{k_{t}^{*{rk}}:={k_{t}^{*} + \left( {{\overset{n_{t}}{\overset{︷}{{\delta^{\prime}{\overset{\rightarrow}{x}}_{t}},}}\overset{u_{t}}{\overset{︷}{0_{t}^{\mu}}}},{\overset{z_{t}}{\overset{︷}{{\overset{\rightarrow}{\varphi}}_{t}^{\prime},}}\overset{1}{\overset{︷}{0}}}} \right)_{{??}_{t}^{*}}}},{{{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma},{d_{0.i}^{*}:={{b_{0.i}^{*}W_{1}\mspace{14mu}{for}\mspace{14mu} i} = 2}},3,4,6,{{\hat{??}}_{0}^{*}:=\left( {d_{0.2}^{*},d_{0.3}^{*},d_{0.4}^{*},d_{0.6}^{*}} \right)},{{rk}_{({\Gamma.{??}^{\prime}})} = \left( {\Gamma,{??}^{\prime},k_{0}^{*{rk}},\left\{ k_{t}^{*{rk}} \right\}_{{({t,\overset{\rightarrow}{x}})} \in \Gamma},\psi^{rk},{\hat{??}}_{0}^{*}} \right)},{{return}\mspace{14mu}{{rk}_{({\Gamma.{??}^{\prime}})}.}}} & \left\lbrack {{Formula}\mspace{14mu} 148} \right\rbrack\end{matrix}$

The function and operation of the re-encryption device 400 will bedescribed.

The re-encryption device 400 includes a public parameter receiving part410, a ciphertext receiving part 420, a re-encryption key receiving part430, a verification part 440, an encryption part 450, and a re-encryptedciphertext transmission part 460. The verification part 440 includes aspan program computation part 441 and a signature verification part 442.The encryption part 450 includes a random number generation part 451, anf vector generation part 452, an s vector generation part 453, aconversion information W₂ generation part 454, a conversion informationW₂ encryption part 455, a ciphertext c^(renc) generation part 456, and adecryption key k*^(renc) generation part 457.

With reference to FIG. 15, the process of the REnc algorithm will bedescribed.

(S501: Public Parameter Receiving Step)

Using the communication device and via the network, for example, thepublic parameter receiving part 410 receives the public parameter pkgenerated by the key generation device 100.

(S502: Ciphertext Receiving Step)

Using the communication device and via the network, for example, theciphertext receiving part 420 receives the ciphertext ct_(S) transmittedby the encryption device 200.

(S503: Re-Encryption Key Receiving Step)

Using the communication device and via the network, for example, there-encryption key receiving part 430 receives the re-encryption keyrk_((Γ.S′)) transmitted by the decryption device 300.

(S504: Span Program Computation Step)

Using the processing device, the span program computation part 441determines whether or not the access structure S included in theciphertext ct_(S) accepts Γ included in the re-encryption keyrk_((Γ.S′)). The method for determining whether or not the accessstructure S accepts Γ is as described in “3. Concept for ImplementingFPRE” in Embodiment 1.

If the access structure S accepts Γ (accept in S504), the span programcomputation part 441 advances the process to (S505). If the accessstructure S rejects Γ (reject in S504), the span program computationpart 441 ends the process.

(S505: Signature Verification Step)

Using the processing device, the signature verification part 442determines whether or not a result of computing Formula 149 is 1. If theresult is 1 (valid in S505), the signature verification part 442advances the process to (S506). If the result is 0 (invalid in S505),the signature verification part 442 ends the process.Ver(verk,C=(

,{c _(i) ^(enc)}_(i=0, . . . L) ,c _(d+1) ^(enc)),Sig)  [Formula 149]

(S506: Random Number Generation Step)

Using the processing device, the random number generation part 451generates random numbers, as indicated in Formula 150.

$\begin{matrix}{\delta^{''},\varphi^{''},\sigma,\rho^{\prime},\eta^{\prime},\zeta^{\prime},\theta_{i}^{\prime},{{\eta_{i}^{\prime}\overset{U}{\leftarrow}{{??}_{q}\mspace{14mu}{for}\mspace{14mu} i}} = 1},\cdots\mspace{14mu},L,\mspace{79mu}{{{\overset{\rightarrow}{\varphi}}_{t}^{''}\overset{U}{\leftarrow}{{??}_{q}^{z_{t}}\mspace{14mu}{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)}} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 150} \right\rbrack\end{matrix}$

(S507: f Vector Generation Step)

Using the processing device, the f vector generation part 452 randomlygenerates a vector f^(→)′ having r pieces of elements, as indicated inFormula 151.

$\begin{matrix}{{\overset{\rightarrow}{f}}^{\prime}\overset{R}{\leftarrow}{??}_{q}^{r}} & \left\lbrack {{Formula}\mspace{14mu} 151} \right\rbrack\end{matrix}$

(S508: s Vector Generation Step)

Using the processing device and based on the (L rows×r columns) matrix Mincluded in the access structure S and the vector f^(→)′, the s vectorgeneration part 453 generates a vector s^(→)′^(T), as indicated inFormula 152.{right arrow over (s)}′ ^(T):=(s′ ₁ , . . . ,s′ _(L))^(T) :=M·{rightarrow over (f)}′ ^(T)  [Formula 152]

Using the processing device and based on the vector f^(→)′, the s vectorgeneration part 453 also generates a value s₀′, as indicated in Formula153.s′ ₀:={right arrow over (1)}·{right arrow over (f)}′ ^(T)  [Formula 153]

(S509: Conversion Information W₂ Generation Step)

Using the processing device, the conversion information W₂ generationpart 454 generates conversion information W₂, as indicated in Formula154.

$\begin{matrix}{W_{2}\overset{R}{\leftarrow}{{GL}\left( {7,{??}_{q}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 154} \right\rbrack\end{matrix}$

(S510: Conversion Information W₂ Encryption Step)

Using the processing device, the conversion information W₂ encryptionpart 455 computes Formula 155, and thus encrypts the conversioninformation W₂ with functional encryption and generates encryptedconversion information ψ^(renc). Since the conversion information W₂ isencrypted with functional encryption on input of the access structureS′, the conversion information W₂ is encrypted with the attributeinformation of the user capable of decrypting the re-encryptedciphertext CT_(S′) being set.

$\begin{matrix}{\psi^{renc}\overset{R}{\leftarrow}{{Enc}_{{CP}\text{-}{FE}}\left( {{pk}^{{CP}\text{-}{FE}},{??}^{\prime},W_{2}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 155} \right\rbrack\end{matrix}$

(S511: Ciphertext c^(renc) Generation Step)

Using the processing device, the ciphertext c^(renc) generation part 456also generates a ciphertext c^(renc) ₀, as indicated in Formula 156.c ₀ ^(renc):=(c ₀ ^(enc)+(ζ′,−s′ ₀,ρ′(verk,1),0,0,η′

)W ₂  [Formula 156]

Using the processing device, the ciphertext c^(renc) generation part 456also generates a ciphertext c^(renc) _(i) for each integer i=1, . . . ,L, as indicated in Formula 157.

$\begin{matrix}{\mspace{79mu}{{{{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L}{if}\mspace{14mu}{\rho(i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots\mspace{14mu},v_{i.n_{t}}} \right) \in {{??}_{q}^{n_{t}}\backslash\left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i.n_{t}} \neq 0} \right)}},\mspace{79mu}{c_{i}^{renc}:={c_{i}^{enc} + \left( {{\overset{n_{t}}{\overset{︷}{{{s_{i}^{\prime}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{\prime}{\overset{\rightarrow}{v}}_{i}}},}}\overset{u_{t}}{\overset{︷}{0^{u_{t}}}}},{\overset{z_{t}}{\overset{︷}{0^{z_{t}},}}\overset{1}{\overset{︷}{\eta_{i}^{\prime}}}}} \right)_{{??}_{t}}}},\mspace{79mu}{{{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{79mu}{c_{i}^{renc}:={c_{i}^{enc} + \left( {{\overset{n_{t}}{\overset{︷}{{s_{i}^{\prime}{\overset{\rightarrow}{v}}_{i}},}}\overset{u_{t}}{\overset{︷}{0^{u_{t}}}}},{\overset{z_{t}}{\overset{︷}{0^{z_{i}},}}\overset{1}{\overset{︷}{\eta_{i}^{\prime}}}}} \right)_{{??}_{t}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 157} \right\rbrack\end{matrix}$

Using the processing device, the ciphertext c^(renc) generation part 456also generates a ciphertext c^(renc) _(d+1), as indicated in Formula158.c _(d+1) ^(renc) =c _(d+1) ^(enc) ·g _(T) ^(ζ′)  [Formula 158]

(S512: Decryption Key k*^(renc) Generation Step)

Using the processing device, the decryption key k*^(renc) generationpart 457 generates a decryption key k*^(renc) ₀, as indicated in Formula159.k* ₀ ^(renc) :=k* ^(rk)+(0,δ″,σ(−1,verk),0,φ″,0

  [Formula 159]

Using the processing device, the decryption key k*^(renc) generationpart 457 also generates a decryption key k*^(renc) _(t) for each integert included in the attribute set Γ, as indicated in Formula 160.

$\begin{matrix}{{k_{t}^{*{renc}}:={k_{t}^{*{rk}} + \left( {{\overset{n_{t}}{\overset{︷}{{\delta^{''}{\overset{\rightarrow}{x}}_{t}},}}\overset{u_{t}}{\overset{︷}{0^{u_{t}}}}},{\overset{z_{t}}{\overset{︷}{{\overset{\rightarrow}{\varphi}}_{t}^{''},}}\overset{1}{\overset{︷}{0}}}} \right)_{{??}_{t}^{*}}}},{{{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 160} \right\rbrack\end{matrix}$

(S513: Re-Encrypted Ciphertext Transmission Step)

Using the communication device and via the network, for example, there-encrypted ciphertext transmission part 460 transmits the re-encryptedciphertext CT_(S′) having, as elements, the access structure S′, theaccess structure S, the attribute set Γ, the decryption keys k*^(renc) ₀and k*^(renc) _(t), the ciphertexts c^(renc) ₀, c^(renc) _(i), andc^(renc) _(d+1), the encrypted conversion information ψ^(rk), and theencrypted conversion information ψ^(renc) to the re-encryption device400 in secrecy. As a matter of course, the re-encrypted ciphertextCT_(S′) may be transmitted to the re-encryption device 400 by anothermethod.

In brief, in (S501) through (S512), the re-encryption device 400generates the re-encrypted ciphertext CT_(S′) by executing the REncalgorithm indicated in Formula 161-1 and Formula 161-2. In (S513), there-encryption device 400 transmits the generated re-encrypted ciphertextCT_(S′) to the re-encrypted ciphertext decryption device 500.

$\begin{matrix}{{{{\left. {{REnc}\left( {{rk},_{({\Gamma,{??}^{\prime}})}{= \left( {\Gamma,{??}^{\prime},k_{0}^{*{rk}},\left\{ k_{t}^{*{rk}} \right\}_{{({t,\overset{\rightarrow}{x}})} \in \Gamma},\psi^{rk},{\hat{??}}_{0}^{*}} \right)},{{ct}_{??} = \left( {{??},\left\{ c_{i}^{enc} \right\}_{{i = 0},\ldots\mspace{14mu},L},c_{d + 1}^{enc}} \right)},{verk},{Sig}} \right)} \right)\text{:}}{{{{If}\mspace{14mu}{??}\mspace{14mu}{accepts}\mspace{14mu}\Gamma}:=\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\}},{{and}\;\left. \quad\mspace{11mu}{{{{{Ve}r}\left( {{verk},{C = \left( {{??},\left\{ c_{i}^{enc} \right\}_{{i = 0},\ldots\mspace{14mu},L},c_{d + 1}^{enc}} \right)},{Sig}} \right)} = 1},{{then}{\mspace{11mu}\;}{compute}\mspace{14mu}{following}\mspace{20mu}\left\{ c_{i}^{renc} \right\}_{{i = 0},\ldots\mspace{14mu},L}},c_{d + 1}^{renc}} \right)},k_{0}^{*{renc}},\;{{and}\mspace{14mu}\left\{ k_{t}^{*{renc}} \right\}_{{({t,\overset{\rightarrow}{x}})} \in \Gamma}}}}{\delta^{''},\varphi^{''},\sigma,\rho^{\prime},\eta^{\prime},{\zeta^{\prime}\overset{U}{\leftarrow}{??}_{q}},{{\overset{\rightarrow}{\varphi}}_{t}^{''}\;\overset{U}{\leftarrow}{??}_{q}^{z_{t}}},\mspace{11mu}{{{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}}{{{\overset{\rightarrow}{f}}^{\prime}\overset{R}{\leftarrow}{??}_{q}^{r}},{{{\overset{\rightarrow}{s}}^{\prime}}^{T}:={\left( {s_{1}^{\prime},\ldots\mspace{14mu},s_{L}^{\prime}} \right)^{T}:={M \cdot {{\overset{\rightarrow}{f}}^{\prime}}^{T}}}},{s_{0}^{\prime}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{\prime\; T}}},\;{W_{2}\overset{R}{\leftarrow}{{GL}\left( {7,{??}_{q}} \right)}},\mspace{14mu}{\psi^{renc}\overset{R}{\leftarrow}{{Enc}_{{CP}\text{-}{FE}}\left( {{pk}^{{CP}\text{-}{FE}},{??}^{\prime},W_{2}} \right)}},}}\mspace{59mu}} & \left\lbrack {{Formula}\mspace{14mu} 161\text{-}1} \right\rbrack\end{matrix}$

The function and operation of the re-encrypted ciphertext decryptiondevice 500 will be described.

The re-encrypted ciphertext decryption device 500 includes a decryptionkey receiving part 510, a ciphertext receiving part 520, a span programcomputation part 530, a complementary coefficient computation part 540,a conversion information generation part 550, a conversion part 560, apairing operation part 570, and a message computation part 580. Thepairing operation part 570 and the message computation part 580 will bereferred to collectively as a decryption part.

With reference to FIG. 16, the process of the Dec1 algorithm will bedescribed.

(S601: Decryption Key Receiving Step)

Using the communication device and via the network, for example, thedecryption key receiving part 510 receives the decryption key sk_(Γ),transmitted by the key generation device 100. The decryption keyreceiving part 310 also receives the public parameter pk generated bythe key generation device 100.

(S602: Ciphertext Receiving Step)

Using the communication device and via the network, for example, theciphertext receiving part 520 receives the re-encrypted ciphertextCT_(S′) transmitted by the re-encryption device 400.

(S603: Span Program Computation Step)

Using the processing device, the span program computation part 530determines whether or not the access structure S included in there-encrypted ciphertext CT_(S′) accepts Γ included in the re-encryptedciphertext CT_(S′), and determines whether or not the access structureS′ included in the re-encrypted ciphertext CT_(S′) accepts Γ′ includedin the decryption key sk_(Γ′). The method for determining whether or notthe access structure S accepts Γ and whether or not the access structureS′ accepts Γ′ is as described in “3. Concept for Implementing FPRE” inEmbodiment 1.

If the access structure S accepts Γ and the access structure S′ acceptsΓ′ (accept in S603), the span program computation part 530 advances theprocess to (S604). If the access structure S rejects Γ or the accessstructure S′ rejects Γ′ (reject in S603), the span program computationpart 530 ends the process.

(S604: Complementary Coefficient Computation Step)

Using the processing device, the complementary coefficient computationpart 540 computes I and a constant (complementary coefficient){α_(i)}_(iεI) such that Formula 162 is satisfied.

$\begin{matrix}{\mspace{79mu}{{\overset{\rightarrow}{1} = {\sum\limits_{i = I}^{\;}{\alpha_{i}M_{i}}}}\mspace{79mu}{{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M},{{{and}\mspace{14mu} I} \subseteq \left\{ {i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}} \middle| {\left\lbrack {{\rho(i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee\left\lbrack {{\rho(i)} = {⫬ {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \right\}}}}} & \left\lbrack {{Formula}\mspace{14mu} 162} \right\rbrack\end{matrix}$

(S605: Conversion Information Generation Step)

Using the processing device, the conversion information generation part550 generates conversion information W₁ ^(˜) and W₂ ^(˜), as indicatedin Formula 163.

$\begin{matrix}{{{\overset{\sim}{W}}_{1}\overset{R}{\leftarrow}{{Dec}_{{CP}\text{-}{FE}}\left( {{pk}^{{CP}\text{-}{FE}},{sk}_{\Gamma}^{{CP}\text{-}{FE}},\psi^{rk}} \right)}},{{\overset{\sim}{W}}_{2}\overset{R}{\leftarrow}{{Dec}_{{CP}\text{-}{FE}}\left( {{pk}^{{CP}\text{-}{FE}},{sk}_{\Gamma}^{{CP}\text{-}{FE}},\psi^{renc}} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 163} \right\rbrack\end{matrix}$

(S606: Conversion Step)

Using the processing device, the conversion part 560 generates adecryption key k*₀ ^(˜) by converting the basis of the decryption keyk*^(renc) ₀, and generates a ciphertext c₀ ^(˜) by converting the basisof the ciphertext c^(renc), as indicated in Formula 164.{tilde over (k)}* ₀ :=k* ₀ ^(renc) {tilde over (W)} ₁ ⁻¹,{tilde over (c)} ₀ :=c ₀ ^(renc) {tilde over (W)} ₂ ⁻¹  [Formula 164]

(S607: Pairing Operation Step)

Using the processing device, the pairing operation part 570 computesFormula 156, and thus generates a session key K^(˜).

$\begin{matrix}{\overset{\sim}{K}:={{{\mathbb{e}}\left( {{\overset{\sim}{c}}_{0},{\overset{\sim}{k}}_{0}^{*}} \right)} \cdot {\prod\limits_{i \in {{I\bigwedge{\rho{(i)}}} - {({t,{\overset{\rightarrow}{v}}_{i}})}}}^{\;}\;{{{\mathbb{e}}\left( {c_{i}^{renc},k_{t}^{*{renc}}} \right)}{\alpha_{i} \cdot {\prod\limits_{i \in {{I\bigwedge{\rho{(i)}}} - {({t,{\overset{\rightarrow}{v}}_{i}})}}}^{\;}\;{{{\mathbb{e}}\left( {c_{i}^{renc},k_{t}^{*{renc}}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 165} \right\rbrack\end{matrix}$

(S608: Message Computation Step)

Using the processing device, the message computation part 390 computesm′=c^(enc) _(d+1)/K^(˜), and thus generates a message m′(=m).

In brief, in (S601) through (S608), the re-encrypted ciphertextdecryption device 500 generates the message m′(=m) by executing the Dec1algorithm indicated in Formula 166.

$\begin{matrix}{\left. {{\left. {{Dec}_{1}\left( {{pk},{{sk}_{\Gamma^{\prime}} = \left( {{sk}_{\Gamma^{\prime}}^{{CP}\text{-}{FE}},\Gamma^{\prime},k_{0}^{*},\left\{ k_{t}^{*} \right\}_{{({t,{\overset{\rightarrow}{x}}_{i}^{\prime}})} \in \Gamma^{\prime}}} \right)},{{CT}_{{??}^{\prime}} = \left( {{??}^{\prime},{??},\Gamma,k_{0}^{*{renc}},\left\{ k_{t}^{*{renc}} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}^{\prime}})} \in \Gamma^{\prime}}} \right)},{{\left\{ c_{i}^{renc} \right\} i} = 0},\ldots\mspace{14mu},L,c_{d + 1}^{renc},\psi^{rk},\psi^{renc}} \right)} \right)\text{:}}{{{{If}\mspace{14mu}{??}\mspace{14mu}{accepts}{\mspace{11mu}\;}\Gamma}:={{\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\}\mspace{14mu}{and}{\mspace{11mu}\;}{??}^{\prime}\mspace{14mu}{accepts}\mspace{14mu}\Gamma^{\prime}}:=\left( {t,\left( {\overset{\rightarrow}{x}}_{t}^{\prime} \right)} \right\}}},{{then}\mspace{14mu}{compute}\mspace{14mu} I{\mspace{11mu}\;}{and}\mspace{14mu}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}{\mspace{11mu}\;}{that}}}{\overset{\rightarrow}{1} = {\sum\limits_{i = I}^{\;}{\alpha_{i}M_{i}}}}{{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}{\mspace{11mu}\;}{of}\mspace{14mu} M},{{{and}{\quad\quad}\mspace{14mu} I} \subseteq {\left\{ \left. {i \in \left\{ {1,\ldots\mspace{14mu}, L} \right\}} \middle| {\left\lbrack {{\rho(i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee} \right.\quad \right.\left\lbrack {{\rho(i)} = {⫬ {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack}}}} \right\},\;{{\overset{\sim}{W}}_{1}\overset{R}{\leftarrow}{{Dec}_{{CP}\text{-}{FE}}\left( {{pk}^{{CP}\text{-}{FE}},{sk}_{\Gamma}^{{CP}\text{-}{FE}},\psi^{rk}} \right)}},{{\overset{\sim}{W}}_{2}\overset{R}{\leftarrow}{{Dec}_{{CP}\text{-}{FE}}\left( {{pk}^{{CP}\text{-}{FE}},{sk}_{\Gamma}^{{CP}\text{-}{FE}},\psi^{renc}} \right)}},{{\overset{\sim}{k}}_{0}^{*}:={k_{0}^{*{renc}}{\overset{\sim}{W}}_{1}^{- 1}}},{{\overset{\sim}{c}}_{0}:={c_{0}^{renc}{\overset{\sim}{W}}_{2}^{- 1}}},{\overset{\sim}{K}:={{{{\mathbb{e}}\left( {{\overset{\sim}{c}}_{0},{\overset{\sim}{k}}_{0}^{*}} \right)} \cdot {\prod\limits_{i \in {{I\bigwedge{\rho{(i)}}} - {({t,{\overset{\rightarrow}{v}}_{i}})}}}^{\;}\;{{{\mathbb{e}}\left( {c_{i}^{renc},k_{t}^{*{renc}}} \right)}{\alpha_{i} \cdot {\prod\limits_{i \in {{I\bigwedge{\rho{(i)}}} - {({t,{\overset{\rightarrow}{v}}_{i}})}}}^{\;}\;{{{\mathbb{e}}\left( {c_{i}^{renc},k_{t}^{*{renc}}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}m^{\prime}}}}}}}:={c_{d + 1}^{enc}/\overset{\sim}{K}}}},{{return}\mspace{14mu}{m^{\prime}.}}} & \left\lbrack {{Formula}\mspace{14mu} 166} \right\rbrack\end{matrix}$

With reference to FIG. 17, the process of the Dec2 algorithm will bedescribed.

(S701: Decryption Key Receiving Step)

Using the communication device and via the network, for example, thedecryption key receiving part 310 receives the decryption key sk_(Γ)transmitted by the key generation device 100. The decryption keyreceiving part 310 also receives the public parameter pk generated bythe key generation device 100.

(S702: Ciphertext Receiving Step)

Using the communication device and via the network, for example, theciphertext receiving part 350 receives the ciphertext ct_(S) transmittedby the re-encryption device 400.

(S703: Span Program Computation Step)

Using the processing device, the span program computation part 361determines whether or not the access structure S included in theciphertext ct_(S) accepts Γ included in the decryption key sk_(Γ). Themethod for determining whether or not the access structure S accepts Γis as described in “3. Concept for Implementing FPRE” in Embodiment 1.

If the access structure S accepts Γ (accept in S703), the span programcomputation part 361 advances the process to (S704). If the accessstructure S rejects Γ (reject in S703), the span program computationpart 361 ends the process.

(S704: Signature Verification Step)

Using the processing device, the signature verification part 362determines whether or not a result of computing Formula 167 is 1. If theresult is 1 (valid in S704), the signature verification part 442advances the process to (S705). If the result is 0 (invalid in S704),the signature verification part 442 ends the process.Ver(verk,C=(

,{c _(i) ^(enc)}_(i=0, . . . L) ,c _(d+1) ^(enc)),Sig)  [Formula 167]

(S705: Complementary Coefficient Computation Step)

Using the processing device, the complementary coefficient computationpart 370 computes I and a constant (complementary coefficient){α_(i)}_(iεI) such that Formula 168 is satisfied.

$\begin{matrix}{\mspace{85mu}{{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\;{\alpha_{i}M_{i}}}}\mspace{20mu}{{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M},{{{and}\mspace{14mu} I} \subseteq \left\{ {i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}} \middle| {\left\lbrack {{\rho(i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee\left\lbrack {{\rho(i)} = {⫬ {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \right\}}}}} & \left\lbrack {{Formula}\mspace{14mu} 168} \right\rbrack\end{matrix}$

(S706: Pairing Operation Step)

Using the processing device, the pairing operation part 380 computesFormula 169, and thus generates a session key K.

$\begin{matrix}{K:={{e\left( {c_{0}^{enc},k_{0}^{*}} \right)} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\;{e\left( {c_{i}^{enc},k_{t}^{*}} \right){\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ {({t,{\overset{\rightarrow}{v}}_{i}})}}}\;{{e\left( {c_{i}^{enc},k_{t}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 169} \right\rbrack\end{matrix}$

(S707: Message Computation Step)

Using the processing device, the message computation part 390 computesm′=c^(enc) _(d+1)/K, and thus generates a message m′(=m).

In brief, in (S701) through (S707), the decryption device 300 generatesthe message m′(=m) by executing the Dec2 algorithm indicated in Formula170.

$\begin{matrix}{{{{{Dec}_{2}\left( {{pk},{{sk}_{\Gamma} = \left( {{sk}_{\Gamma}^{{CP} - {FE}},\Gamma,k_{0}^{*},\left\{ k_{t}^{*} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma}} \right)},{{ct}_{??} = \left( {{??},\left\{ c_{i}^{enc} \right\}_{{i = 0},\ldots\mspace{14mu},L},c_{d + 1}^{enc},{verk},{Sig}} \right)}} \right)}:\mspace{20mu}{{If}\mspace{14mu}{??}\mspace{14mu}{accepts}\mspace{14mu}\Gamma}}:=\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\}}{{{{and}\mspace{14mu}{{Ver}\left( {{verk},{C = \left( {{??},\left\{ c_{i}^{enc} \right\}_{{i = 0},\ldots\mspace{14mu},L},c_{d + 1}^{enc}} \right)},{Sig}} \right)}} = 1},\mspace{20mu}{{then}\mspace{14mu}{compute}\mspace{14mu} I\mspace{14mu}{and}\mspace{14mu}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}\mspace{14mu}{that}}}\text{}\mspace{25mu}{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\;{\alpha_{i}M}}}\mspace{20mu}{{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M},{{{and}\mspace{14mu} I} \subseteq \left\{ {i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}} \middle| {\left\lbrack {{\rho(i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee\left\lbrack {{\rho(i)} = {⫬ {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \right\}}}{K:={{e\left( {c_{0}^{enc},k_{0}^{*}} \right)} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\;{{e\left( {c_{i}^{enc},k_{t}^{*}} \right)}{\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ {({t,{\overset{\rightarrow}{v}}_{i}})}}}\;{{e\left( {c_{i}^{enc},k_{t}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}}\mspace{20mu}{{m^{\prime} = {c_{d + 1}^{enc}/K}},\mspace{20mu}{{return}\mspace{14mu}{m^{\prime}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 170} \right\rbrack\end{matrix}$

As described above, the cryptographic system according to Embodiment 1can implement the CP-FPRE scheme. Thus, a ciphertext can be forwarded toa set of various types of users with a single re-encryption key.

As a result, for example, various ciphertexts existing on a network canbe securely forwarded to users having various attributes, withoutdecrypting the ciphertexts. It is thus possible to securely andpractically entrust processing of ciphertexts to a trusted third party.

It has been described above that the decryption device 300 alsofunctions as a re-encryption key generation device, and that thedecryption device 300 executes the RKG algorithm as well as the Dec2algorithm. However, the decryption device 300 and the re-encryption keygeneration device may be implemented separately. In this case, thedecryption device 300 executes the Dec2 algorithm, and the re-encryptionkey generation device executes the RKG algorithm. In this case,therefore, the decryption device 300 includes functional components thatare required to execute the Dec2 algorithm, and the re-encryption keygeneration device includes functional components that are required toexecute the RKG algorithm.

Embodiment 2

The CP-FPRE scheme has been described in Embodiment 1. In Embodiment 2,a key-policy FPRE scheme (KP-FPRE) scheme will be described.

First, a basic structure of the KP-FPRE scheme will be described. Then,a basic configuration of a cryptographic processing system 10 thatimplements the KP-FPRE scheme will be described. Then, items used forimplementing the KP-FPRE scheme will be described. Then, the KP-FPREscheme and the cryptographic processing system 10 according to thisembodiment will be described in detail.

The basic structure of the KP-FPRE scheme will be briefly described. KP(key policy) means that a policy, namely an access structure, isembedded in a key.

<1-1. Basic Structure of KP-FPRE Scheme>

The KP-FPRE scheme consists of seven algorithms: Setup, KG, Enc, RKG,Renc, Dec1, and Dec2.

(Setup)

A Setup algorithm is a probabilistic algorithm that takes as input asecurity parameter λ and an attribute format n^(→):=(d; n₁, . . . ,n_(d); u₁, . . . , u_(d); z₁, . . . , z_(d)), and outputs a publicparameter pk and a master key sk.

(KG)

A KG algorithm is a probabilistic algorithm that takes as input anaccess structure S=(M, ρ), the public parameter pk, and the master keysk, and outputs a decryption key sk_(S).

(Enc)

An Enc algorithm is a probabilistic algorithm that takes as input amessage m, an attribute set Γ:={(t, x^(→) _(t))|x^(→) _(t)εF_(q) ^(nt),1≦t≦d}, and the public parameter pk, and outputs a ciphertext ct_(Γ).

(RKG)

An RKG algorithm is a probabilistic algorithm that takes as input thedecryption key sk_(S), an attribute set Γ′:={(t, x′^(→) _(t))|x′^(→)_(t) εF_(q) ^(nt), 1≦t≦d}, and the public parameter pk, and output are-encryption key rk_((S.Γ′)).

(REnc)

An REnc algorithm is a probabilistic algorithm that takes as input theciphertext ct_(Γ), the re-encryption key rk_((S.Γ′)), and the publicparameter pk, and outputs a re-encrypted ciphertext CT_(Γ).

(Dec1)

A Dec1 algorithm is an algorithm that takes as input the re-encryptedciphertext CT_(Γ), the decryption key sk_(S′), and the public parameterpk, and outputs the message m or the distinguished symbol ⊥.

(Dec2)

A Dec2 algorithm is an algorithm that takes as input the ciphertextct_(Γ), the decryption key sk_(Γ), and the public parameter pk, andoutputs the message m or the distinguished symbol ⊥.

<1-2. Cryptographic Processing System 10>

The cryptographic processing system 10 that executes the algorithms ofthe KP-FPRE scheme will be described.

FIG. 18 is a configuration diagram of the cryptographic processingsystem 10 that implements the KP-FPRE scheme.

Like the cryptographic processing system 10 illustrated in FIG. 5, thecryptographic processing system 10 includes a key generation device 100,an encryption device 200, a decryption device 300 (re-encryption keygeneration device), a re-encryption device 400, and a re-encryptedciphertext decryption device 500.

The key generation device 100 executes the Setup algorithm taking asinput a security parameter λ and an attribute format n^(→):=(d; n₁, . .. , n_(d); u₁, . . . , u_(d); z₁, . . . , z_(d)), and thus generates apublic parameter pk and a master key sk.

Then, the key generation device 100 publishes the public parameter pk.The key generation device 100 also executes the KG algorithm taking asinput an access structure S, and thus generates a decryption key sk_(S),and transmits the decryption key sk_(S) to the decryption device 300 insecrecy. The key generation device 100 also executes the KG algorithmtaking as input an access structure S′, and thus generates a decryptionkey sk_(S′), and transmits the decryption key sk_(S′) to there-encrypted ciphertext decryption device 500 in secrecy.

The encryption device 200 executes the Enc algorithm taking as input amessage m, an attribute set Γ, and the public parameter pk, and thusgenerates a ciphertext ct_(Γ). The encryption device 200 transmits theciphertext ct_(Γ) to the re-encryption device 400.

The decryption device 300 executes the RKG algorithm taking as input thepublic parameter pk, the decryption key sk_(S), and an attribute set Γ′,and thus generates a re-encryption key rk_((S.Γ′)). The decryptiondevice 300 transmits the re-encryption key rk_((S.Γ′)) to there-encryption device 400 in secrecy.

The decryption device 300 also executes the Dec2 algorithm taking asinput the public parameter pk, the decryption key sk_(S), and theciphertext ct_(Γ), and outputs the message m or the distinguished symbol⊥.

The re-encryption device 400 executes the REnc algorithm taking as inputthe public parameter pk, the re-encryption key rk_((S.Γ′)), and theciphertext ct_(Γ), and thus generates a re-encrypted ciphertext CT_(Γ).The re-encryption device 400 transmits the re-encrypted ciphertextCT_(Γ) to the re-encrypted ciphertext decryption device 500.

The re-encrypted ciphertext decryption device 500 executes the Dec1algorithm taking as input the public parameter pk, the decryption keysk_(S′), and the re-encrypted ciphertext CT_(Γ′), and outputs themessage m or the distinguished symbol 1.

<1-3. Items Used to Implement KP-FPRE Scheme>

To implement the KP-FPRE scheme, key-policy functional encryption(KP-FE) and one-time signature are used. Since both are publicly knowntechniques, a scheme to be used in the following description will bebriefly described. An example of a KP-FE scheme is discussed in PatentLiterature 1. One-time signature is as described in Embodiment 1, anddescription thereof will be omitted.

The KP-FE scheme consists of four algorithms: Setup_(KP-FE), KG_(KP-FE),Enc_(KP-FE), and Dec_(KP-FE).

(Setup_(KP-FE))

A Setup_(KP-FE) algorithm is a probabilistic algorithm that takes asinput a security parameter λ and an attribute format n^(→):=(d; n₁, . .. , n_(d)), and outputs a public parameter pk^(KP-FE) and a master keysk^(KP-FE).

(KG_(KP-FE))

A KG_(KP-FE) algorithm is a probabilistic algorithm that takes as inputan access structure S=(M, ρ), the public parameter pk^(KP-FE), and themaster key sk^(KP-FE), and outputs a decryption key sk_(S) ^(KP-FE)

(Enc_(KP-FE))

An Enc_(KP-FE) algorithm is a probabilistic algorithm that takes asinput a message m, an attribute set Γ:={(t, x^(→) _(t))|x^(→) _(t)εF_(q) ^(nt), 1≦t≦d}, and the public parameter pk^(KP-FE), and outputs aciphertext ψ.

(Dec_(KP-FE))

A Dec_(KP-FE) algorithm is an algorithm that takes as input theciphertext ψ, the decryption key sk_(S) ^(KP-FE), and the publicparameter pk^(KP-FE), and outputs the message m or the distinguishedsymbol ⊥.

<1-4. KP-FPRE Scheme and Cryptographic Processing System 10 in Detail>

With reference to FIG. 19 through FIG. 29, the KP-FPRE scheme will bedescribed, and the function and operation of the cryptographicprocessing system 10 that implements the KP-FPRE scheme will bedescribed.

FIG. 19 is a functional block diagram illustrating the function of thekey generation device 100. FIG. 20 is a functional block diagramillustrating the function of the encryption device 200. FIG. 21 is afunctional block diagram illustrating the function of the decryptiondevice 300. FIG. 22 is a functional block diagram illustrating thefunction of the re-encryption device 400. FIG. 23 is a functional blockdiagram illustrating the function of the re-encrypted ciphertextdecryption device 500.

FIG. 24 is a flowchart illustrating the operation of the key generationdevice 100 and illustrating the process of the KG algorithm. FIG. 25 isa flowchart illustrating the operation of the encryption device 200 andillustrating the process of the Enc algorithm. FIG. 26 is a flowchartillustrating the operation of the decryption device 300 and illustratingthe process of the RKG algorithm. FIG. 27 is a flowchart illustratingthe operation of the re-encryption device 400 and illustrating theprocess of the REnc algorithm. FIG. 28 is a flowchart illustrating theoperation of the re-encrypted ciphertext decryption device 500 andillustrating the process of the Dec1 algorithm. FIG. 29 is a flowchartillustrating the operation of the decryption device 300 and illustratingthe process of the Dec2 algorithm.

The function and operation of the key generation device 100 will bedescribed.

The key generation device 100 includes a master key generation part 110,a master key storage part 120, an information input part 130, adecryption key generation part 140, and a key transmission part 150. Thedecryption key generation part 140 includes a random number generationpart 142, a decryption key k* generation part 143, a KP-FE keygeneration part 144, an f vector generation part 145, and an s vectorgeneration part 146.

The process of the Setup algorithm is the same as the process of theSetup algorithm described in Embodiment 1, and thus description thereofwill be omitted. However, in S102 in Embodiment 1, a public parameterpk^(CP-FE) and a master key sk^(CP-FE) of CP-FE are generated, whereasin Embodiment 2 a public parameter pk^(KP-FE) and a master keysk^(KP-FE) of KP-FE are generated. Subbases B^₀, B^_(t), B^*₀, andB^*_(t) are constructed differently from Embodiment 1, as indicated inFormula 171.

₀:=(b _(0.1) ,b _(0.2) ,b _(0.3) ,b _(0.4) ,b _(0.6)),

_(t):=(b _(t.1) , . . . ,b _(t.n) _(t) ,b _(t.N) _(t) ) for t=1, . . .,d

*₀:=(b* _(0.1) ,b* _(0.2) ,b* _(0.3) ,b* _(0.4) ,b* _(0.7)),

*_(t):=(b* _(t.1) , . . . ,b* _(t.n) _(t) ,b* _(t.N) _(t+ut+1) , . . .,b* _(t.n) _(t) _(+u) _(t) _(+z) _(t) ) for t=1, . . . ,d  [Formula 171]

In brief, the key generation device 100 generates a public parameter pkand a master key sk by executing the Setup algorithm indicated inFormula 172-1 and Formula 172-2.

$\begin{matrix}{{{{{Setup}\left( {1^{\lambda},{\overset{\rightarrow}{n} = \left( {{d;n_{1}},\ldots\mspace{14mu},{n_{d};u_{1}},\ldots\mspace{14mu},{u_{d};z_{1}},\ldots\mspace{14mu},z_{d}} \right)}} \right)}:\mspace{20mu}{param}_{??}}:={\left( {q,{??},{??}_{T},g,e} \right)\overset{R}{\leftarrow}{{??}_{bpg}\left( 1^{\lambda} \right)}}},\mspace{20mu}{N_{0}:=7},\mspace{20mu}{N_{t}:={{n_{t} + u_{t} + z_{t} + {1\mspace{14mu}{for}\mspace{14mu} t}} = 1}},\ldots\mspace{14mu},d,\mspace{20mu}{\psi\overset{U}{\longleftarrow}{??}_{q}^{x}},{g_{T}:={e\left( {g,g} \right)}^{\psi}},\mspace{20mu}{{{for}\mspace{14mu} t} = 0},\ldots\mspace{14mu},d,{{parm}_{{??}_{t}}:={\left( {q,{??},{??}_{T},{??}_{T},e} \right)\overset{R}{\longleftarrow}{{??}_{dpvs}\left( {1^{\lambda},N_{t},{param}_{??}} \right)}}},\mspace{20mu}{X_{t} = {\begin{pmatrix}{{\overset{\rightarrow}{\chi}}_{t},1} \\\vdots \\{{\overset{\rightarrow}{\chi}}_{t},N_{t}}\end{pmatrix}:={\left( \chi_{t,i,j} \right)_{i,j}\overset{U}{\longleftarrow}{{GL}\left( {N_{t},{??}_{q}} \right)}}}},\mspace{20mu}{\begin{pmatrix}{{\overset{\rightarrow}{v}}_{t},1} \\\vdots \\{{\overset{\rightarrow}{v}}_{t},N_{t}}\end{pmatrix}:={\left( v_{t,i,j} \right)_{i,j}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}}},} & \left\lbrack {{Formula}\mspace{14mu} 172\text{-}1} \right\rbrack \\{\mspace{79mu}{{{b_{t.i}:={\sum\limits_{j = 1}^{N_{t}}\;{\chi_{t,i,j}a_{t,j}}}},{{??}_{t}:=\left( {b_{t{.1}},\ldots\mspace{14mu},b_{t.N_{t}}} \right)},\mspace{20mu}{b_{t.i}^{*}:={\sum\limits_{j = 1}^{N_{t}}\;{v_{t,i,j}a_{t,j}}}},{{??}_{t}^{*}:=\left( {b_{t{.1}}^{*},\ldots\mspace{14mu},b_{t.N_{t}}^{*}} \right)},\mspace{20mu}{\left( {{pk}^{{KP} - {FE}},{sk}^{{KP} - {FE}}} \right)\overset{R}{\longleftarrow}{{Setup}_{{KP} - {FE}}\left( {1^{\lambda},\overset{\rightarrow}{n}} \right)}}}\mspace{20mu}{{{\hat{??}}_{0}:=\left( {b_{0.1},b_{0.2},b_{0.3},b_{0.4},b_{0.6}} \right)},\mspace{79mu}{{\hat{??}}_{t}:={{\left( {b_{t{.1}},\ldots\mspace{14mu},b_{t.n_{t}},b_{t.N_{t}}} \right)\mspace{14mu}{for}\mspace{14mu} t} = 1}},\ldots\mspace{14mu},d,\mspace{79mu}{{\hat{??}}_{0}^{*}:=\left( {b_{0.1}^{*},b_{0.2}^{*},b_{0.3}^{*},b_{0.4}^{*},b_{0.7}^{*}} \right)},\mspace{79mu}{{\hat{??}}_{t}^{*}:=\left( {b_{t{.1}}^{*},\ldots\mspace{14mu},b_{t.n_{t}}^{*},b_{{t.n_{t}} + u_{t} + 1}^{*},\ldots\mspace{14mu},b_{{t.n_{t}} + u_{t} + z_{t}}^{*}} \right)}}\mspace{20mu}{{{{for}\mspace{14mu} t} = 1},\ldots\mspace{14mu},d,\mspace{20mu}{{param}_{\overset{\rightarrow}{n}}:=\left( {\left\{ {param}_{{??}_{t}} \right\}_{{t = 0},\ldots\mspace{14mu},d},g_{T}} \right)},{{pk}:=\left( {{pk}^{{KP} - {FE}},1^{\lambda},{param}_{\overset{\rightarrow}{n}},\left\{ {\hat{??}}_{t} \right\}_{{t = 0},\ldots\mspace{14mu},d},b_{0.2}^{*},b_{0.3}^{*},b_{0.4}^{*},b_{0.7}^{*},{{\begin{Bmatrix}{b_{t{.1}}^{*},\ldots\mspace{14mu},b_{t.n_{t}}^{*},b_{{t.n_{t}} + u_{t} + 1}^{*},\ldots\mspace{14mu},} \\b_{{t.n_{t}} + u_{t} + z_{t}}^{*}\end{Bmatrix}t} = 1},\ldots\mspace{14mu},d} \right)},\mspace{20mu}{{sk}:=\left( {{sk}^{{KP} - {FE}},{\hat{??}}_{0}^{*}} \right)},\mspace{20mu}{{return}\mspace{14mu}{pk}},{{sk}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 172\text{-}2} \right\rbrack\end{matrix}$

With reference to FIG. 24, the process of the KG algorithm will bedescribed.

(S801: Information Input Step)

Using the input device, the information input part 130 takes as input anaccess structure S:=(M, ρ). The matrix M of the access structure S is tobe set according to the conditions of a system to be implemented.Attribute information of a user of a decryption key sk_(S) is set in ρof the access structure S, for example. Note that ρ(i)=(t, v^(→)_(i):=(v_(i.1), . . . , v_(i.nt))εF_(q) ^(nt)\{0^(→)}) (v_(i,nt)≠0).

(S802: KP-FE Decryption Key Generation Step)

Using the processing device, the KP-FE key generation part 144 computesFormula 173, and thus generates a decryption key sk_(S) ^(KP-FE) offunctional encryption.

$\begin{matrix}{{sk}_{??}^{{KP} - {FE}}\overset{R}{\longleftarrow}{{KG}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},{sk}^{{KP} - {FE}},{??}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 173} \right\rbrack\end{matrix}$

(S803: f Vector Generation Step)

Using the processing device, the f vector generation part 145 randomlygenerates a vector f^(→) having r pieces of elements, as indicated inFormula 174.

$\begin{matrix}{\overset{\rightarrow}{f}\overset{U}{\longleftarrow}{??}_{q}^{r}} & \left\lbrack {{Formula}\mspace{14mu} 174} \right\rbrack\end{matrix}$

(S804: s Vector Generation Step)

Using the processing device and based on the (L rows×r columns) matrix Mincluded in the access structure S and the vector f^(→), the s vectorgeneration part 146 generates a vector s^(→T):=(s₁, . . . , s_(L))^(T),as indicated in Formula 175.{right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrowover (f)} ^(T)  [Formula 175]Using the processing device and based on the vector f^(→), the s vectorgeneration part 146 also generates a value so, as indicated in Formula176.s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 176]

(S805: Random Number Generation Step)

Using the processing device, the random number generation part 142generates random numbers, as indicated in Formula 177.

$\begin{matrix}{{\eta\overset{U}{\longleftarrow}{??}_{q}},{{\theta_{i}\mspace{14mu}{for}\mspace{14mu} i} = 1},{\ldots\mspace{14mu} L},{{{{\overset{\rightarrow}{\eta}}_{i}\overset{U}{\longleftarrow}{??}_{q}^{z_{t}}}\mspace{14mu}{for}\mspace{14mu} i} = 1},{\ldots\mspace{14mu} L}} & \left\lbrack {{Formula}\mspace{14mu} 177} \right\rbrack\end{matrix}$

(S806: Decryption Key k* Generation Step)

Using the processing device, the decryption key k* generation part 143generates a decryption key k*₀, as indicated in Formula 178.k* ₀:=(1,−s ₀,0,0,0,0,η

  [Formula 178]Using the processing device, the decryption key k* generation part 143also generates a decryption key k*_(i) for each integer i=1, . . . , L,as indicated in Formula 179.

$\begin{matrix}{\mspace{79mu}{{{{{for}\mspace{14mu} i} = 1},{\ldots\mspace{14mu} L}}{{{{if}\mspace{14mu}{\rho(i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots\mspace{14mu},v_{i.n_{t}}} \right) \in {{??}_{q}^{n_{t}}\backslash\left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i,n_{t}} \neq 0} \right)}},\mspace{20mu}{k_{i}^{*}:={\left( {\overset{\overset{n_{t}}{︷}}{{{s_{i}\mspace{14mu}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}\mspace{14mu}{\overset{\rightarrow}{v}}_{i}}},}\mspace{14mu}\overset{\overset{u_{t}}{︷}}{0^{u_{t}},}\mspace{14mu}\overset{\overset{z_{t}}{︷}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{14mu}\overset{\overset{1}{︷}}{0}} \right){??}_{t}^{*}}},\mspace{20mu}{{{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu}{k_{i}^{*}:={\left( {\overset{\overset{n_{t}}{︷}}{{s_{i}\;{\overset{\rightarrow}{v}}_{i}},}\mspace{14mu}\overset{\overset{u_{t}}{︷}}{0^{u_{t}},}\mspace{14mu}\overset{\overset{z_{t}}{︷}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{14mu}\overset{\overset{1}{︷}}{0}} \right){??}_{t}^{*}}},}}} & \left\lbrack {{Formula}\mspace{14mu} 179} \right\rbrack\end{matrix}$

(S807: Key Transmission Step)

Using the communication device and via the network, for example, the keytransmission part 150 transmits the decryption key sk_(S) having, aselements, the access structure S and the decryption keys k*₀ and k*_(i)to the decryption device 300 in secrecy. As a matter of course, thedecryption key sk_(S) may be transmitted to the decryption device 300 byanother method.

In brief, in (S801) through (S806), the key generation device 100generates the decryption key sk_(S) by executing the KG algorithmindicated in Formula 180. In (S807), the key generation device 100transmits the generated decryption key sk_(S) to the decryption device300.

$\begin{matrix}{\mspace{79mu}{{{{{KG}\left( {{pk},{sk},{{??} = \left( {M,\rho} \right)}} \right)}:\mspace{20mu}{{sk}_{??}^{{KP} - {FE}}\overset{R}{\longleftarrow}{{KG}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},{sk}^{{KP} - {FE}},{??}} \right)}}},\mspace{20mu}{\overset{\rightarrow}{f}\overset{U}{\longleftarrow}{??}_{q}^{r}},\mspace{20mu}{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\ldots\mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},\mspace{20mu}{\eta\overset{U}{\longleftarrow}{??}_{q}},\mspace{20mu}{k_{0}^{*}:=\left( {1,{- s_{0}},0,0,0,0,\eta} \right)_{{??}_{0}^{*}}},\mspace{20mu}{{{for}\mspace{14mu} i} = 1},{\ldots\mspace{14mu} L}}{{{{if}\mspace{14mu}{\rho(i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots\mspace{14mu},v_{i.n_{t}}} \right) \in {{??}_{q}^{n_{t}}\backslash\left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i,n_{t}} \neq 0} \right)}},\mspace{20mu}{\theta_{i}\overset{U}{\longleftarrow}{??}_{q}},{{\overset{\rightarrow}{\eta}}_{i}\overset{U}{\longleftarrow}{??}_{q}^{z_{t}}},\mspace{20mu}{k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{︷}}{{{s_{i}\mspace{14mu}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}\mspace{14mu}{\overset{\rightarrow}{v}}_{i}}},}\mspace{14mu}\overset{\overset{u_{t}}{︷}}{0^{u_{t}},}\mspace{14mu}\overset{\overset{z_{t}}{︷}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{14mu}\overset{\overset{1}{︷}}{0}} \right)_{{??}_{t}^{*}}},\mspace{20mu}{{{if}\mspace{14mu}\rho(i)} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu}{{\overset{\rightarrow}{\eta}}_{i}\overset{U}{\longleftarrow}{??}_{q}},\mspace{20mu}{k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{︷}}{{s_{i}\;{\overset{\rightarrow}{v}}_{i}},}\mspace{14mu}\overset{\overset{u_{t}}{︷}}{0^{u_{t}},}\mspace{14mu}\overset{\overset{z_{t}}{︷}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{14mu}\overset{\overset{1}{︷}}{0}} \right)_{{??}_{t}^{*}}},\mspace{20mu}{{sk}_{??}:=\left( {{sk}_{??}^{{KP} - {FE}},{??},k_{0}^{*},\left\{ k_{i}^{*} \right\}_{{i = 1},{\ldots\mspace{14mu} L}}} \right)},\mspace{20mu}{{return}\mspace{14mu}{{sk}_{??}.}}}}} & \left\lbrack {{Formula}\mspace{14mu} 180} \right\rbrack\end{matrix}$

In (S801), the key generation device 100 generates a decryption keysk_(S′) by executing the KG algorithm taking as input an accessstructure S′:=(M, ρ′) in which attribute information of a user of thedecryption key sk_(S′) is set. Then, the decryption key sk_(S′):=(S′,k′*₀, k′*_(i)) is transmitted to the re-encrypted ciphertext decryptiondevice 500. Note that ρ′(i)=(t, v^(→)′_(i):=(v′_(i.1), . . . ,v_(i.nt))εF_(q) ^(nt)\{0^(→)})(v′_(i,nt)≠0).

The function and operation of the encryption device 200 will bedescribed.

The encryption device 200 includes a public parameter receiving part210, an information input part 220, a signature processing part 230, anencryption part 240, and a ciphertext transmission part 250. Theencryption part 240 includes a random number generation part 243 and aciphertext c^(enc) generation part 244.

With reference to FIG. 25, the process of the Enc algorithm will bedescribed.

(S901: Public Parameter Receiving Step)

Using the communication device and via the network, for example, thepublic parameter receiving part 210 receives the public parameter pkgenerated by the key generation device 100.

(S902: Information Input Step)

Using the input device, the information input part 220 also takes asinput an attribute set Γ:={(t, x^(→) _(t):=(x_(t.1), . . . , x_(t.nt)εF_(q) ^(nt)))|1≦t≦d}. Note that t may be at least some of integers from1 to d, instead of being all of integers from 1 to d. Attributeinformation of a user capable of decryption is set in the attribute setΓ, for example. Using the input device, the information input part 220takes as input a message m to be transmitted to the decryption device300.

(S903: Signature Key Generation Step)

Using the processing device, the signature processing part 230 computesFormula 181, and thus generates a signature key sigk and a verificationkey verk of one-time signature.

$\begin{matrix}{\left( {{sigk},{verk}} \right)\overset{R}{\longleftarrow}{{SigKG}\left( 1^{\lambda} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 181} \right\rbrack\end{matrix}$

(S904: Random Number Generation Step)

Using the processing device, the random number generation part 243generates random numbers, as indicated in Formula 182.

$\begin{matrix}{\rho,ϛ,\delta,{\varphi\overset{U}{\longleftarrow}{??}_{q}},{{{\varphi_{t}\overset{U}{\longleftarrow}{??}_{q}}\mspace{14mu}{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 182} \right\rbrack\end{matrix}$

(S905: Ciphertext c^(enc) Generation Step)

Using the processing device, the ciphertext c^(enc) generation part 232generates a ciphertext c^(enc) ₀, as indicated in Formula 183.c ₀ ^(enc):=(ζ,δ,ρ(verk,1),0,ρ,0)

₀  [Formula 183]

Using the processing device, the ciphertext c^(enc) generation part 232generates a ciphertext c^(enc) _(t) for each integer t included in theattribute information Γ, as indicated in Formula 184.

$\begin{matrix}{c_{t}^{enc}:={{\left( {\overset{\overset{n_{t}}{︷}}{{\delta\;{\overset{\rightarrow}{x}}_{t}},}\mspace{14mu}\overset{\overset{u_{t}}{︷}}{0^{u_{t}},}\mspace{14mu}\overset{\overset{z_{t}}{︷}}{0^{z_{t}},}\mspace{14mu}\overset{\overset{1}{︷}}{\varphi_{t}}} \right)_{{??}_{t}}\mspace{14mu}{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 184} \right\rbrack\end{matrix}$

Using the processing device, the ciphertext c^(enc) generation part 232also generates a ciphertext c^(enc) _(d+1), as indicated in Formula 185.c _(d+1) ^(enc) =m·g _(T) ^(ζ)  [Formula 185]

(S906: Signature Generation Step)

Using the processing device, the signature processing part 230 computesFormula 186, and thus generates a signature Sig for an element C:=(S,c^(enc) ₀, {c^(enc) _(t)}_((t,xt→)εΓ), c^(enc) _(d+1)) of the ciphertextct_(Γ).

$\begin{matrix}{{Sig}\overset{R}{\longleftarrow}{{Sig}\left( {{sigk},{C = \left( {{??},c_{0}^{enc},\left\{ c_{t}^{enc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{enc}} \right)}} \right)}} & \left\lbrack {{Formual}\mspace{14mu} 186} \right\rbrack\end{matrix}$

(S907: Ciphertext Transmission Step)

Using the communication device and via the network, for example, theciphertext transmission part 250 transmits the ciphertext ct_(Γ) having,as elements, the attribute set Γ, the ciphertexts c^(enc) ₀, c^(enc)_(t), and c^(enc) _(d+1), the verification key verk, and the signatureSig to the decryption device 300. As a matter of course, the ciphertextct_(Γ) may be transmitted to the decryption device 300 by anothermethod.

In brief, in (S901) through (S906), the encryption device 200 generatesthe ciphertext ct_(Γ) by executing the Enc algorithm indicated inFormula 187. In (S907), the encryption device 200 transmits thegenerated ciphertext ct_(Γ) to the decryption device 300.

$\begin{matrix}{{Enc}\left( {{pk},m,{\Gamma = {\left( \left\{ {\left. \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \middle| {{\overset{\rightarrow}{x}}_{t} \in {{??}_{q}^{n_{t}}\backslash\left\{ \overset{\rightarrow}{0} \right\}}} \right.,{1 \leq t \leq d}} \right\} \right):\mspace{20mu}{\left( {{sigk},{verk}} \right)\overset{R}{\longleftarrow}{{SigKG}\left( 1^{\lambda} \right)}}}},\mspace{20mu}\rho,Ϛ,\delta,\varphi,{{{\varphi_{t}\overset{U}{\longleftarrow}{??}_{q}}\mspace{14mu}{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma},\mspace{20mu}{c_{0}^{enc}:=\left( {Ϛ,\delta,{\rho\left( {{verk},1} \right)},0,\varphi,0} \right)_{{??}_{0}}},\mspace{20mu}{{{{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {\Gamma\mspace{20mu} c_{t}^{enc}}}:=\left( {\overset{\overset{n_{t}}{︷}}{{\delta\;{\overset{\rightarrow}{x}}_{t}},}\mspace{14mu}\overset{\overset{u_{t}}{︷}}{0^{u_{t}},}\mspace{14mu}\overset{\overset{z_{t}}{︷}}{0^{z_{t}},}\mspace{14mu}\overset{\overset{1}{︷}}{\varphi_{t}}} \right)_{{??}_{t}}},\mspace{20mu}{c_{d + 1}^{enc} = {m \cdot g_{T}^{Ϛ}}},{{Sig}\overset{R}{\longleftarrow}{{Sig}\left( {{sigk},{C = \left( {{??},c_{0}^{enc},\left\{ c_{t}^{enc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{enc}} \right)}} \right)}},\mspace{20mu}{{ct}_{\Gamma}\left( {\Gamma,c_{0}^{enc},\left\{ c_{t}^{enc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{enc},{verk},{Sig}} \right)},\mspace{20mu}{{return}\mspace{14mu}{{ct}_{\Gamma}.}}} \right.} & \left\lbrack {{Formual}\mspace{14mu} 187} \right\rbrack\end{matrix}$

The function and operation of the decryption device 300 will bedescribed.

The decryption device 300 includes a decryption key receiving part 310,an information input part 320, a re-encryption key generation part 330,a re-encryption key transmission part 340, a ciphertext receiving part350, a verification part 360, a complementary coefficient computationpart 370, a pairing operation part 380, and a message computation part390. The re-encryption key generation part 330 includes a random numbergeneration part 331, a conversion information W₁ generation part 332, aconversion information W₁ encryption part 333, a decryption key k*^(rk)generation part 334, a conversion part 335, an f vector generation part336, and an s vector generation part 337. The verification part 360includes a span program computation part 361 and a signatureverification part 362.

With reference to FIG. 26, the process of the RKG algorithm will bedescribed. The Dec2 algorithm will be described later.

(S1001: Decryption Key Receiving Step)

Using the communication device and via the network, for example, thedecryption key receiving part 310 receives the decryption key sk_(S)transmitted by the key generation device 100. The decryption keyreceiving part 310 also receives the public parameter pk generated bythe key generation device 100.

(S1002: Information Input Step)

Using the input device, the information input part 320 takes as input anattribute set Γ′:={(t, x′^(→) _(t):=(x′^(→) _(t.1), . . . , x_(t.nt)εF_(q) ^(nt)\{0^(→)}))|1≦t≦d}. Note that t may be at least some ofintegers from 1 to d, instead of being all of integers from 1 to d.Attribute information of a user who can decrypt a re-encryptedciphertext CT_(Γ) is set in the attribute set Γ′, for example.

(S1003: Random Number Generation Step)

Using the processing device, the random number generation part 331generates random numbers, as indicated in Formula 188.

$\begin{matrix}{{\eta^{\prime}\overset{U}{\longleftarrow}{??}_{q}},{{{\theta_{i}^{\prime}\overset{U}{\longleftarrow}{??}_{q}}\mspace{14mu}{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L,{{{\eta_{i}^{\prime}\overset{U}{\longleftarrow}{??}_{q}^{z_{t}}}\mspace{14mu}{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L} & \left\lbrack {{Formual}\mspace{14mu} 188} \right\rbrack\end{matrix}$

(S1004: f Vector Generation Step)

Using the processing device, the f vector generation part 336 randomlygenerates a vector f^(→)′ having r pieces of elements, as indicated inFormula 189.

$\begin{matrix}{{\overset{\rightarrow}{f}}^{\prime}\overset{R}{\longleftarrow}{??}_{q}^{r}} & \left\lbrack {{Formual}\mspace{14mu} 189} \right\rbrack\end{matrix}$

(S1005: s Vector Generation Step)

Using the processing device and based on the (L rows×r columns) matrix Mincluded in the access structure S and the vector f^(→)′, the s vectorgeneration part 337 generates a vector s^(→′T), as indicated in Formula190.{right arrow over (s)}′ ^(T):=(s′ ₁ , . . . ,s′ _(L))^(T) :=M′·{rightarrow over (f)}′ ^(T)  [Formula 190]

Using the processing device and based on the vector f^(→)′, the s vectorgeneration part 337 also generates a value s_(0′), as indicated inFormula 191.s′ ₀:={right arrow over (1)}·{right arrow over (f)}′ ^(T)  [Formula 191]

(S1006: Conversion Information W₁ Generation Step)

Using the processing device, the conversion information W₁ generationpart 332 generates conversion information W₁, as indicated in Formula192.

$\begin{matrix}{W_{1}\overset{R}{\longleftarrow}{{GL}\left( {7,{??}_{q}} \right)}} & \left\lbrack {{Formual}\mspace{14mu} 192} \right\rbrack\end{matrix}$

(S1007: Conversion Information W₁ Encryption Step)

Using the processing device, the conversion information W₁ encryptionpart 333 computes Formula 193, and thus encrypts the conversioninformation W₁ with functional encryption and generates encryptedconversion information ψ^(rk). Since the conversion information W₁ isencrypted with functional encryption on input of the attributeinformation Γ′, the conversion information W₁ is encrypted with theattribute information of the user who can decrypt the re-encryptedciphertext CT_(Γ′) being set.

$\begin{matrix}{\psi^{rk}\overset{R}{\longleftarrow}{{Enc}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},\Gamma^{\prime},W_{1}} \right)}} & \left\lbrack {{Formual}\mspace{14mu} 193} \right\rbrack\end{matrix}$

(S1008: Decryption Key k*^(rk) Generation Step)

Using the processing device, the decryption key generation part 334generates a decryption key k*^(rk) ₀, as indicated in Formula 194.k* ₀ ^(rk):=(k* ₀+(0,−s′ ₀,0,0,0,0,η′)

_(*0))W ₁  [Formula 194]

Using the processing device, the decryption key generation part 334 alsogenerates a decryption key k*^(rk) _(i) for each integer i=1, . . . , L,as indicated in Formula 195.

$\begin{matrix}{\mspace{79mu}{{{{{for}\mspace{14mu} i} = 1},{\ldots\mspace{14mu} L}}{{{{if}\mspace{14mu}{\rho(i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots\mspace{14mu},v_{i.n_{t}}} \right) \in {{??}_{q}^{n_{t}}\backslash\left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i,n_{t}} \neq 0} \right)}},\mspace{20mu}{k_{i}^{*{rk}}:={k_{i}^{*} + \left( {\overset{\overset{n_{t}}{︷}}{{{s_{i}^{\prime}\mspace{20mu}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{\prime}\mspace{14mu}{\overset{\rightarrow}{v}}_{i}}},}\mspace{20mu}\overset{\overset{u_{t}}{︷}}{0^{u_{t}},}\mspace{25mu}\overset{\overset{z_{t}}{︷}}{{\overset{\rightarrow}{\eta}}_{i}^{\prime},}\mspace{25mu}\overset{\overset{1}{︷}}{0}} \right)_{{??}_{t}^{*}}}},\mspace{20mu}{{{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu}{k_{i}^{*{rk}}:={k_{i}^{*} + \left( {\overset{\overset{n_{t}}{︷}}{{s_{i}^{\prime}\mspace{11mu}{\overset{\rightarrow}{v}}_{i}},}\mspace{14mu}\overset{\overset{u_{t}}{︷}}{0^{u_{t}},}\mspace{25mu}\overset{\overset{z_{t}}{︷}}{{\overset{\rightarrow}{\eta}}_{i}^{\prime},}\mspace{20mu}\overset{\overset{1}{︷}}{0}} \right)_{{??}_{t}^{*}}}},}}} & \left\lbrack {{Formual}\mspace{14mu} 195} \right\rbrack\end{matrix}$

(S1009: Conversion Step)

Using the processing device, the conversion part 335 computes Formula196, and thus generates a basis D^*₀.d* _(0.i) :=b* _(0.i) W ₁ for i=2,3,4,7,

*₀:=(d* _(0.2) ,d* _(0.3) ,d* _(0.4) ,d* _(0.7)),  [Formula 196]

(S1010: Key Transmission Step)

Using the communication device and via the network, for example, there-encryption key transmission part 340 transmits the re-encryption keyrk_((S.Γ′)) having, as elements, the access structure S, the attributeset Γ′, the decryption keys k*^(rk) ₀ and k*^(rk) _(i), the encryptedconversion information ψ^(rk), and the basis D^(^*) ₀ to there-encryption device 400 in secrecy. As a matter of course, there-encryption key rk_((S.Γ′)) may be transmitted to the re-encryptiondevice 400 by another method.

In brief, in (S1001) through (S1009), the decryption device 300generates the re-encryption key rk_((S.Γ′)) by executing the RKGalgorithm indicated in Formula 197. In (S1010), the decryption device300 transmits the generated re-encryption key rk_((S.Γ′)) to there-encryption device 400.

$\begin{matrix}{\mspace{79mu}{{{{{RKG}\left( {{pk},{{sk}_{??} = \left( {{sk}_{??}^{{KP} - {FE}},{??},k_{0}^{*},\left\{ k_{i}^{*} \right\}_{{i = 1},{\ldots\mspace{14mu} L}}} \right)},\Gamma^{\prime}} \right)}:\mspace{20mu}{\eta^{\prime}\overset{U}{\longleftarrow}{??}_{q}}},{{\overset{\rightarrow}{f}}^{\prime}\overset{R}{\longleftarrow}{??}_{q}^{r}},{{\overset{\rightarrow}{s}}^{\prime\; T}:={\left( {s_{1}^{\prime},\ldots\mspace{14mu},s_{L}^{\prime}} \right)^{T}:={M^{\prime} \cdot {\overset{\rightarrow}{f}}^{\prime\; T}}}},{s_{0}^{\prime}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{\prime\; T}}},\mspace{20mu}{W_{1}\overset{R}{\longleftarrow}{{GL}\left( {7,{??}_{q}} \right)}},\mspace{20mu}{\psi^{rk}\overset{R}{\longleftarrow}{{Enc}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},\Gamma^{\prime},W_{1}} \right)}},\mspace{20mu}{k_{0}^{*{rk}}:={\left( {k_{0}^{*} + \left( {0,{- s_{0}^{\prime}},0,0,0,0,\eta^{\prime}} \right)_{{??}_{0}^{*}}} \right)W_{1}}},\mspace{20mu}{{{for}\mspace{14mu} i} = 1},{\ldots\mspace{14mu} L}}{{{{if}\mspace{14mu}{\rho(i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots\mspace{14mu},v_{i.n_{t}}} \right) \in {{??}_{q}^{n_{t}}\backslash\left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i,n_{t}} \neq 0} \right)}},\mspace{20mu}{\theta_{i}^{\prime}\overset{U}{\longleftarrow}{??}_{q}},{\eta_{i}^{\prime}\overset{U}{\longleftarrow}{??}_{q}^{z_{t}}}}\mspace{20mu}{{k_{i}^{*{rk}}:={k_{i}^{*} + \left( {\overset{\overset{n_{t}}{︷}}{{{s_{i}^{\prime}\mspace{20mu}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{\prime}\mspace{14mu}{\overset{\rightarrow}{v}}_{i}}},}\overset{\overset{u_{t}}{︷}}{0^{u_{t}},}\mspace{14mu}\overset{\overset{z_{t}}{︷}}{{\overset{\rightarrow}{\eta}}_{i}^{\prime},}\mspace{14mu}\overset{\overset{1}{︷}}{0}} \right)_{{??}_{t}^{*}}}},\mspace{20mu}{{{if}\mspace{14mu}\rho(i)} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu}{\eta_{i}^{\prime}\overset{U}{\longleftarrow}{??}_{q}^{z_{t}}}}\mspace{20mu}{{k_{i}^{*{rk}}:={k_{i}^{*} + \left( {\overset{\overset{n_{t}}{︷}}{{s_{i}^{\prime}\mspace{11mu}{\overset{\rightarrow}{v}}_{i}},}\mspace{14mu}\overset{\overset{u_{t}}{︷}}{0^{u_{t}},}\mspace{20mu}\overset{\overset{z_{t}}{︷}}{{\overset{\rightarrow}{\eta}}_{i}^{\prime},}\mspace{14mu}\overset{\overset{1}{︷}}{0}} \right)_{{??}_{t}^{*}}}},\mspace{20mu}{d_{0,i}^{*}:={{b_{0.i}^{*}W_{1}\mspace{14mu}{for}\mspace{14mu} i} = 2}},3,4,7,\mspace{79mu}{{\hat{??}}_{0}^{*}:=\left( {d_{0.2}^{*},d_{0.3}^{*},d_{0.4}^{*},d_{0.7}^{*}} \right)},\mspace{20mu}{{rk}_{({{??}.\Gamma^{\prime}})}:=\left( {{??},\Gamma^{\prime},k_{0}^{*{rk}},\left\{ k_{i}^{*{rk}} \right\}_{{i = 1},\ldots\mspace{14mu},L},\psi^{rk},{\hat{??}}_{0}^{*}} \right)},\mspace{20mu}{{return}\mspace{14mu}{{rk}_{({{??}.\Gamma^{\prime}})}.}}}}} & \left\lbrack {{Formual}\mspace{14mu} 197} \right\rbrack\end{matrix}$

The function and operation of the re-encryption device 400 will bedescribed.

The re-encryption device 400 includes a public parameter receiving part410, a ciphertext receiving part 420, a re-encryption key receiving part430, a verification part 440, an encryption part 450, and a re-encryptedciphertext transmission part 460. The verification part 440 includes aspan program computation part 441 and a signature verification part 442.The encryption part 450 includes a random number generation part 451, anf vector generation part 452, an s vector generation part 453, aconversion information W₂ generation part 454, a conversion informationW₂ encryption part 455, a ciphertext c^(renc) generation part 456, and adecryption key k*^(renc) generation part 457.

With reference to FIG. 27, the process of the REnc algorithm will bedescribed.

(S1101: Public Parameter Receiving Step)

Using the communication device and via the network, for example, thepublic parameter receiving part 410 receives the public parameter pkgenerated by the key generation device 100.

(S1102: Ciphertext Receiving Step)

Using the communication device and via the network, for example, theciphertext receiving part 420 receives the ciphertext ct_(Γ) transmittedby the encryption device 200.

(S1103: Re-Encryption Key Receiving Step)

Using the communication device and via the network, for example, there-encryption key receiving part 430 receives the re-encryption keyrk_((S.Γ′)) transmitted by the decryption device 300.

(S1104: Span Program Computation Step)

Using the processing device, the span program computation part 441determines whether or not the access structure S included in there-encryption key rk_((S.Γ′)) accepts Γ included in the ciphertextct_(Γ). The method for determining whether or not the access structure Saccepts Γ is as described in “3. Concept for Implementing FPRE” inEmbodiment 1.

If the access structure S accepts Γ (accept in S1104), the span programcomputation part 441 advances the process to (S1105). If the accessstructure S rejects Γ (reject in S1104), the span program computationpart 441 ends the process.

(S1105: Signature Verification Step)

Using the processing device, the signature verification part 442determines whether or not a result of computing Formula 198 is 1. If theresult is 1 (valid in S1105), the signature verification part 442advances the process to (S1106). If the result is 0 (invalid in S1105),the signature verification part 442 ends the process.Ver(verk,C=(Γ,c ₀ ^(enc) ,{c _(t) ^(enc)}_((t,{right arrow over (x)})_(t) ₎ εΓ,c _(d+1) ^(enc)),Sig)  [Formula 198]

(S1106: Random Number Generation Step)

Using the processing device, the random number generation part 451generates random numbers, as indicated in Formula 199.

$\begin{matrix}{\sigma,Ϛ^{\prime},\delta^{\prime},\rho^{\prime},\varphi^{\prime},\eta^{''},{{{\theta_{i}^{''}\overset{U}{\longleftarrow}{??}_{q}}\mspace{14mu}{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L,{{{{\overset{\rightarrow}{\eta}}_{i}^{''}\overset{U}{\longleftarrow}{??}_{q}^{z_{t}}}\mspace{14mu}{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L,{{{\varphi_{t}^{\prime}\overset{U}{\longleftarrow}{??}_{q}}\mspace{14mu}{for}\mspace{14mu}\left( {t,x_{t}^{\prime}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 199} \right)\end{matrix}$

(S1107: f Vector Generation Step)

Using the processing device, the f vector generation part 452 randomlygenerates a vector f^(→)″ having r pieces of elements, as indicated inFormula 200.

$\begin{matrix}{{\overset{\rightarrow}{f}}^{''}\overset{R}{\longleftarrow}{??}_{q}^{r}} & \left\lbrack {{Formual}\mspace{14mu} 200} \right\rbrack\end{matrix}$

(S1108: s Vector Generation Step)

Using the processing device and based on the (L rows×r columns) matrix Mincluded in the access structure S and the vector f^(→)″, the s vectorgeneration part 453 generates a vector s^(→)″^(T), as indicated inFormula 201.{right arrow over (s)}″ ^(T):=(s″ ₁ , . . . ,S″ _(L))^(T) :=M·{rightarrow over (f)}″ ^(T)  [Formula 201]Using the processing device and based on the vector f^(→)″, the s vectorgeneration part 453 also generates a value s₀″, as indicated in Formula202.s″ ₀:={right arrow over (1)}·{right arrow over (f)}″ ^(T)  [Formula 202]

(S1109: Conversion Information W₂ Generation Step)

Using the processing device, the conversion information W₂ generationpart 454 generates conversion information W₂, as indicated in Formula203.

$\begin{matrix}{W_{2}\overset{R}{\longleftarrow}{{GL}\left( {7,{??}_{q}} \right)}} & \left\lbrack {{Formual}\mspace{14mu} 203} \right\rbrack\end{matrix}$

(S1110: Conversion Information W₂ Encryption Step)

Using the processing device, the conversion information W₂ encryptionpart 455 computes Formula 204, and thus encrypts the conversioninformation W₂ with functional encryption and generates encryptedconversion information ψ^(renc). Since the conversion information W₂ isencrypted with functional encryption on input of the attributeinformation Γ′, the conversion information W₂ is encrypted with theattribute information of the user who can decrypt the re-encryptedciphertext CT_(Γ)′ being set.

$\begin{matrix}{\psi^{renc}\overset{R}{\longleftarrow}{{Enc}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},\Gamma^{\prime},W_{2}} \right)}} & \left\lbrack {{Formual}\mspace{14mu} 204} \right\rbrack\end{matrix}$

(S1111: Ciphertext c^(renc) Generation Step)

Using the processing device, the ciphertext c^(renc) generation part 456generates a ciphertext c^(renc) ₀, as indicated in Formula 205.c ₀ ^(renc):=(c ₀ ^(enc)+(ζ′,δ′,ρ′(verk,1),0,φ′,0)

₀)W ₂  [Formula 205]Using the processing device, the ciphertext c^(renc) generation part 456also generates a ciphertext c^(renc) _(t) for each integer t included inthe attribute information Γ, as indicated in Formula 206.

$\begin{matrix}{{c_{t}^{renc}:={c_{t}^{enc} + \begin{pmatrix}\overset{\overset{n_{t}}{︷}}{{\delta^{\prime}{\overset{\rightarrow}{x}}_{t}},} & \overset{\overset{u_{t}}{︷}}{{0\; u_{t}},} & \overset{\overset{z_{t}}{︷}}{{0\; z_{t}},} & \overset{\overset{1}{︷}}{\varphi_{t}^{\prime}}\end{pmatrix}_{{??}_{t}}}}{{{for}\mspace{14mu}\left( {t,x_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 206} \right\rbrack\end{matrix}$

Using the processing device, the ciphertext c^(renc) generation part 456also generates a ciphertext c^(renc) _(d+1), as indicated in Formula207.c _(d+1) ^(renc) =c _(d+1) ^(enc) ·g _(T) ^(ζ′)  [Formula 207]

(S1112: Decryption Key k*^(renc) Generation Step)

Using the processing device, the decryption key k*^(renc) generationpart 457 generates a decryption key k*^(renc) ₀, as indicated in Formula208.k* ₀ ^(renc) :=k* ₀ ^(rk)+(0,−s″ ₀,σ(−1,verk),0,0,η″)

*₀  [Formula 208]Using the processing device, the decryption key k*^(renc) generationpart 457 also generates a decryption key k*^(renc) _(i) for each integeri=1, . . . , L, as indicated in Formula 209.

$\begin{matrix}{\mspace{79mu}{{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L}{{{if}\mspace{14mu}{\rho(i)}} = {\left( {t,{\overset{\rightarrow}{v}:={\left( {v_{i{.1}},\ldots\mspace{14mu},v_{i.n_{t}}} \right) \in {{??}_{q}^{n_{t}}\backslash\left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i.n_{t}} \neq 0} \right)}}\mspace{20mu}{{k_{i}^{*{renc}}:={k_{i}^{*{rk}} + \begin{pmatrix}\overset{\overset{n_{t}}{︷}}{{{s_{i}^{''}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{''}{\overset{\rightarrow}{v}}_{i}}},} & \overset{\overset{u_{t}}{︷}}{{0\; u_{t}},} & \overset{\overset{z_{t}}{︷}}{{\overset{\rightarrow}{\eta}}_{i}^{''},} & \overset{\overset{1}{︷}}{0}\end{pmatrix}_{{??}_{t}^{*}}}},\mspace{20mu}{{{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu}{k_{i}^{*{renc}}:={k_{i}^{*{rk}} + \begin{pmatrix}\overset{\overset{n_{t}}{︷}}{{s_{i}^{''}{\overset{\rightarrow}{v}}_{i}},} & \overset{\overset{u_{t}}{︷}}{{0\; u_{t}},} & \overset{\overset{z_{t}}{︷}}{{\overset{\rightarrow}{\eta}}_{i}^{''},} & \overset{\overset{1}{︷}}{0}\end{pmatrix}_{{??}_{t}^{*}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 209} \right\rbrack\end{matrix}$

(S1113: Re-Encrypted Ciphertext Transmission Step)

Using the communication device and via the network, for example, there-encrypted ciphertext transmission part 460 transmits the re-encryptedciphertext CT_(Γ)′ having, as elements, the attribute set Γ′, the accessstructure S, the attribute set Γ, the decryption keys k*^(renc) ₀ andk*^(renc) _(i), the ciphertexts c^(renc) ₀, c^(renc) _(t), and c^(renc)_(d+1), the encrypted conversion information ψ^(rk), and the encryptedconversion information ψ^(renc) to the re-encryption device 400 insecrecy. As a matter of course, the re-encrypted ciphertext CT_(Γ′) maybe transmitted to the re-encryption device 400 by another method.

In brief, in (S1101) through (S1112), the re-encryption device 400generates the re-encrypted ciphertext CT_(Γ′) by executing the REncalgorithm indicated in Formula 210-1 and Formula 210-2. In (S1113), there-encryption device 400 transmits the generated re-encrypted ciphertextCT_(Γ′) to the re-encrypted ciphertext decryption device 500.

$\begin{matrix}{{{{{REnc}\left( {{{rk}_{({{??},\Gamma^{\prime}})} = \left( {{??},\Gamma^{\prime},k_{0}^{*{rk}},{\left\{ k_{i}^{*{rk}} \right\}_{{i = 1},\ldots\mspace{14mu},L}\psi^{rk}},{\hat{??}}_{0}^{*}} \right)},\mspace{20mu}{{ct}_{\Gamma} = \left( {\Gamma,c_{0}^{enc},\left\{ c_{t}^{enc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{enc},{verk},{Sig}} \right)}} \right)}:\mspace{20mu}{{If}\mspace{14mu}{??}\mspace{14mu}{accepts}\mspace{14mu}\Gamma}}:=\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\}},{{and}\mspace{14mu}{{Ver}\left( {{verk},{C = {\left( {\Gamma,c_{0}^{enc},\left\{ c_{t}^{enc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{enc},{Sig}} \right) = {1{then}\mspace{14mu}{compute}\mspace{14mu}{following}\mspace{14mu} c_{0}^{renc}}}},\left\{ c_{t}^{renc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{renc},k^{*{renc}},\mspace{20mu}{{and}\mspace{14mu}\left\{ k^{*{renc}} \right\}_{{i = 0},\ldots\mspace{14mu},L}\mspace{20mu}\sigma},\zeta^{\prime},\delta^{\prime},\rho^{\prime},\varphi^{\prime},{\eta^{''}\overset{U}{\longleftarrow}{??}_{q}},\mspace{20mu}{{{\varphi_{t}^{\prime}\overset{U}{\longleftarrow}{??}_{q}}\mspace{14mu}{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {\Gamma{{\overset{\rightarrow}{f}}^{''}\overset{R}{\longleftarrow}{??}_{q}^{r}}}},{{{\overset{\rightarrow}{s}}^{''}T}:={\left( {s_{1}^{''},\ldots\mspace{14mu},s_{L}^{''}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{''\; T}}}},{s_{0}^{''}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{''\; T}}},\mspace{20mu}{W_{2}\overset{R}{\longleftarrow}{{GL}\left( {7,{??}_{q}} \right)}},\mspace{20mu}{\psi^{renc}\overset{R}{\longleftarrow}{{Enc}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},\Gamma^{\prime},W_{2}} \right)}},} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 210\text{-}1} \right\rbrack \\{{{c_{0}^{renc}:={\left( {c_{0}^{enc} + \left( {\zeta^{\prime},\delta^{\prime},{\rho^{\prime}\left( {{verk},1} \right)},0,\varphi^{\prime},0} \right)_{{??}_{0}}} \right)W_{2}}},\mspace{79mu}{c_{t}^{renc}:={c_{t}^{enc} + \begin{pmatrix}\overset{\overset{n_{t}}{︷}}{{\delta^{\prime}{\overset{\rightarrow}{x}}_{t}},} & \overset{\overset{u_{t}}{︷}}{{0\; u_{t}},} & \overset{\overset{z_{t}}{︷}}{{0\; z_{t}},} & \overset{\overset{1}{︷}}{\varphi_{t}^{\prime}}\end{pmatrix}_{{??}_{t}}}}}\mspace{20mu}{{{for}\mspace{14mu}\left( {t,x_{t}} \right)} \in \Gamma}\mspace{20mu}{{c_{d + 1}^{renc} = {c_{d + 1}^{enc} \cdot g_{T}^{\zeta^{\prime}}}},{k_{0}^{*{renc}}:={k_{0}^{*{rk}} + \left( {0,{- s_{0}^{''}},{\sigma\left( {{- 1},{verk}} \right)},0,0,\eta^{''}} \right)_{{??}_{0}^{*}}}},\mspace{20mu}{{{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L}{{{{if}\mspace{14mu}{\rho(i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots\mspace{14mu},v_{i.n_{t}}} \right) \in {{??}_{q}^{n_{t}}\backslash\left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i.n_{t}} \neq 0} \right)}},\mspace{20mu}{\theta_{i}^{''}\overset{U}{\longleftarrow}{??}_{q}},{\eta_{i}^{''}\overset{U}{\longleftarrow}{??}_{q}^{z_{t}}},{k_{i}^{*{renc}}:={k_{i}^{*{rk}} + \begin{pmatrix}\overset{\overset{n_{t}}{︷}}{{{s_{i}^{''}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{''}{\overset{\rightarrow}{v}}_{i}}},} & \overset{\overset{u_{t}}{︷}}{{0\; u_{t}},} & \overset{\overset{z_{t}}{︷}}{{\overset{\rightarrow}{\eta}}_{i}^{''},} & \overset{\overset{1}{︷}}{0}\end{pmatrix}_{{??}_{t}^{*}}}},\mspace{20mu}{{{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu}{\eta_{i}^{''}\overset{U}{\longleftarrow}{??}_{q}},\mspace{20mu}{k_{i}^{*{renc}}:={k_{i}^{*{rk}} + \begin{pmatrix}\overset{\overset{n_{t}}{︷}}{{s_{i}^{''}{\overset{\rightarrow}{v}}_{i}},} & \overset{\overset{u_{t}}{︷}}{{0\; u_{t}},} & \overset{\overset{z_{t}}{︷}}{{\overset{\rightarrow}{\eta}}_{i}^{''},} & \overset{\overset{1}{︷}}{0}\end{pmatrix}_{{??}_{t}^{*}}}}}{{{CT}_{\Gamma^{\prime}}:=\left( {\Gamma^{\prime},{??},\Gamma,k_{0}^{*{renc}},\left\{ k_{i}^{*{renc}} \right\}_{{i = 1},\ldots\mspace{14mu},L},{c_{0}^{renc}\left\{ c_{t}^{renc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}}\}} \in \Gamma^{\prime}}},c_{d + 1}^{renc},c_{d + 1}^{rk},c_{d + 1}^{enc}} \right)},\mspace{20mu}{{return}\mspace{14mu}{{CT}_{\Gamma^{\prime}}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 210\text{-}2} \right\rbrack\end{matrix}$

The function and operation of the re-encrypted ciphertext decryptiondevice 500 will be described.

The re-encrypted ciphertext decryption device 500 includes a decryptionkey receiving part 510, a ciphertext receiving part 520, a span programcomputation part 530, a complementary coefficient computation part 540,a conversion information generation part 550, a conversion part 560, apairing operation part 570, and a message computation part 580. Thepairing operation part 570 and the message computation part 580 will bereferred to collectively as a decryption part.

With reference to FIG. 28, the process of the Dec1 algorithm will bedescribed.

(S1201: Decryption Key Receiving Step)

Using the communication device and via the network, for example, thedecryption key receiving part 510 receives the decryption key sk_(S′)transmitted by the key generation device 100. The decryption keyreceiving part 310 also receives the public parameter pk generated bythe key generation device 100.

(S1202: Ciphertext Receiving Step)

Using the communication device and via the network, for example, theciphertext receiving part 520 receives the re-encrypted ciphertextCT_(Γ) transmitted by the re-encryption device 400.

(S1203: Span Program Computation Step)

Using the processing device, the span program computation part 530determines whether or not the access structure S included in there-encrypted ciphertext CT_(Γ) accepts Γ included in the re-encryptedciphertext CT_(Γ), and determines whether or not the access structure S′included in the decryption key sk_(S′) accepts Γ′ included in there-encrypted ciphertext CT_(Γ). The method for determining whether ornot the access structure S accepts Γ and whether or not the accessstructure S′ accepts Γ′ is as described in “3. Concept for ImplementingFPRE” in Embodiment 1.

If the access structure S accepts Γ and the access structure S′ acceptsΓ′ (accept in S1203), the span program computation part 530 advances theprocess to (S1204). If the access structure S rejects Γ or the accessstructure S′ rejects Γ′ (reject in S1203), the span program computationpart 530 ends the process.

(S1204: Complementary Coefficient Computation Step)

Using the processing device, the complementary coefficient computationpart 540 computes I and a constant (complementary coefficient){α_(i)}_(iεI) such that Formula 211 is satisfied.

$\begin{matrix}{\mspace{85mu}{{{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\;{\alpha_{i}M_{i}}}}\mspace{20mu}{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M}},{{{and}\mspace{14mu} I} \subseteq \left\{ {i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}} \middle| {\left\lbrack {{\rho(i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee\left\lbrack {{\rho(i)} = {⫬ {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \right\}}}} & \left\lbrack {{Formula}\mspace{14mu} 211} \right\rbrack\end{matrix}$

(S1205: Conversion Information Generation Step)

Using the processing device, the conversion information generation part550 generates conversion information W₁ ^(˜) and W₂ ^(˜), as indicatedin Formula 212.

$\begin{matrix}{{{\overset{\sim}{W}}_{1}\overset{R}{\longleftarrow}{{Dec}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},{sk}_{\Gamma}^{{KP} - {FE}},\psi^{rk}} \right)}},{{\overset{\sim}{W}}_{2}\overset{R}{\longleftarrow}{{Dec}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},{sk}_{\Gamma}^{{KP} - {FE}},\psi^{renc}} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 212} \right\rbrack\end{matrix}$

Using the processing device, the conversion part 560 converts the basisof the decryption key k*^(renc) ₀ and thus generates a decryption keyk*₀ ^(˜), and converts the basis of the ciphertext c^(renc) ₀ and thusgenerates a ciphertext c₀ ^(˜), as indicated in Formula 213.{tilde over (k)}* ₀ :=k* ₀ ^(renc) W ₁ ⁻¹,{tilde over (c)} ₀ :=c ₀ ^(renc) W ₂ ⁻¹  [Formula 213]

(S1207: Pairing Operation Step)

Using the processing device, the pairing operation part 570 computesFormula 214, and thus generates a session key K^(˜).

$\begin{matrix}{\overset{\sim}{K}:={{e\left( {{\overset{\sim}{c}}_{0},{\overset{\sim}{k}}_{0}^{*}} \right)} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\;{{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ {({t,{\overset{\rightarrow}{v}}_{i}})}}}\;{{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 214} \right\rbrack\end{matrix}$

(S1208: Message Computation Step)

Using the processing device, the message computation part 390 computesm′=c^(enc) _(d+1)/K^(˜), and thus generates a message m′(=m).

In brief, in (S1201) through (S1208), the re-encrypted ciphertextdecryption device 500 generates the message m′(=m) by executing the Dec1algorithm indicated in Formula 215.

$\begin{matrix}{\mspace{79mu}{{{{{{{{Dec}_{1}\left( {{pk},{{sk}_{{??}^{\prime}} = \left( {{sk}_{{??}^{\prime}}^{{KP} - {FE}},{??}^{\prime},k_{0}^{*},\left\{ k_{i}^{*} \right\}_{{i = 1},{\ldots\mspace{14mu} L}}} \right)},\mspace{20mu}{{CT}_{\Gamma^{\prime}} = \left( {\Gamma^{\prime},{??},\Gamma,k_{0}^{*{renc}},\left\{ k_{i}^{renc} \right\}_{{i = 1},\ldots\mspace{14mu},L},\mspace{20mu}{c_{0}^{renc}\left\{ c_{t}^{renc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma^{\prime}}},c_{d + 1}^{renc},c_{d + 1}^{rk},c_{d + 1}^{enc}} \right)}} \right)}:{{If}\mspace{14mu}{??}\mspace{14mu}{accepts}\mspace{14mu}\Gamma}}:={{\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\}\mspace{14mu}{and}\mspace{14mu}{??}^{\prime}\mspace{14mu}{accepts}\mspace{14mu}\Gamma^{\prime}}:=\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\}}},\mspace{20mu}{{then}\mspace{14mu}{compute}\mspace{14mu} I\mspace{14mu}{and}\mspace{14mu}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}\mspace{14mu}{that}}}\mspace{20mu}{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\;{\alpha_{i}M_{i}}}}\mspace{20mu}{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M}},{{{and}\mspace{14mu} I} \subseteq \left\{ {i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}} \middle| {\left\lbrack {{\rho(i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee\left\lbrack {{\rho(i)} = {⫬ {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \right\}},\mspace{20mu}{{\overset{\sim}{W}}_{1}\overset{R}{\longleftarrow}{{Dec}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},{sk}_{\Gamma}^{{KP} - {FE}},\psi^{rk}} \right)}},\mspace{20mu}{{\overset{\sim}{W}}_{2}\overset{R}{\longleftarrow}{{Dec}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},{sk}_{\Gamma}^{{KP} - {FE}},\psi^{renc}} \right)}},\mspace{20mu}{{\overset{\sim}{k}}_{0}^{*}:={k_{0}^{*{renc}}{\overset{\sim}{W}}_{1}^{- 1}}},\mspace{20mu}{{\overset{\sim}{c}}_{0}:={c_{0}^{renc}{\overset{\sim}{W}}_{2}^{- 1}}},{\overset{\sim}{K}:={{e\left( {{\overset{\sim}{c}}_{0},{\overset{\sim}{k}}_{0}^{*}} \right)} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\;{{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ {({t,{\overset{\rightarrow}{v}}_{i}})}}}\;{{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}}}\mspace{20mu}{{m^{\prime}:={c_{d + 1}^{enc}/\overset{\sim}{K}}},\mspace{20mu}{{return}\mspace{14mu}{m^{\prime}.}}}}} & \left\lbrack {{Formula}\mspace{14mu} 215} \right\rbrack\end{matrix}$

With reference to FIG. 29, the process of the Dec2 algorithm will bedescribed.

(S1301: Decryption Key Receiving Step)

Using the communication device and via the network, for example, thedecryption key receiving part 310 receives the decryption key sk_(S)transmitted by the key generation device 100. The decryption keyreceiving part 310 also receives the public parameter pk generated bythe key generation device 100.

(S1302: Ciphertext Receiving Step)

Using the communication device and via the network, for example, theciphertext receiving part 350 receives the ciphertext ct_(Γ) transmittedby the re-encryption device 400.

(S1303: Span Program Computation Step)

Using the processing device, the span program computation part 361determines whether or not the access structure S included in thedecryption key sk_(S) accepts Γ included in the ciphertext ct_(Γ). Themethod for determining whether or not the access structure S accepts Γis as described in “3. Concept for Implementing FPRE” in Embodiment 1.

If the access structure S accepts Γ (accept in S1303), the span programcomputation part 361 advances the process to (S1304). If the accessstructure S rejects Γ (reject in S1303), the span program computationpart 361 ends the process.

(S1304: Signature Verification Step)

Using the processing device, the signature verification part 362determines whether or not a result of computing Formula 216 is 1. If theresult is 1 (valid in S1304), the signature verification part 442advances the process to (S1305). If the result is 0 (invalid in S1304),the signature verification part 442 ends the process.Ver(verk,C=(Γ,c ₀ ^(enc) ,{c _(t) ^(enc)}_((t,x) _(t) _()εΓ) ,c _(d+1)^(enc)),Sig)  [Formula 216]

(S1305: Complementary Coefficient Computation Step)

Using the processing device, the complementary coefficient computationpart 370 computes I and a constant (complementary coefficient){α_(i)}_(iεI) such that Formula

$\begin{matrix}{\mspace{79mu}{{{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\;{\alpha_{i}M_{i}}}}\mspace{20mu}{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M}}\;{{{and}\mspace{14mu} I} \subseteq \left\{ {i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}} \middle| {\left\lbrack {{\rho(i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee\left\lbrack {{\rho(i)} = {⫬ {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \right\}}}} & \left\lbrack {{Formula}\mspace{14mu} 217} \right\rbrack\end{matrix}$

(S1306: Pairing Operation Step)

Using the processing device, the pairing operation part 570 computesFormula 128, and thus generates a session key K.

$\begin{matrix}{K:={{e\left( {c_{0}^{enc},k_{0}^{*}} \right)} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\;{{e\left( {c_{t}^{renc},k_{i}^{*}} \right)}{\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ {({t,{\overset{\rightarrow}{v}}_{i}})}}}\;{{e\left( {c_{t}^{enc},k_{i}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{i}} \right)}}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 218} \right\rbrack\end{matrix}$

(S1307: Message Computation Step)

Using the processing device, the message computation part 390 computesm′=c^(enc) _(d+1)/K, and thus generates a message m′(=m).

In brief, in (S1301) through (S1307), the decryption device 300generates the message m′(=m) by executing the Dec2 algorithm indicatedin Formula 219.

$\begin{matrix}{\mspace{79mu}{{{{{{Dec}_{2}\left( {{pk},{{sk}_{??} = \left( {{sk}_{??}^{{KP} - {FE}},{??},k_{0}^{*},\left\{ k_{i}^{*} \right\}_{{i = 1},{\ldots\mspace{14mu} L}}} \right)},\mspace{20mu}{{ct}_{\Gamma} = \left( {\Gamma,c_{0}^{enc},\left\{ c_{t}^{enc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{enc},{verk},{Sig}} \right)}} \right)}:\mspace{20mu}{{If}\mspace{14mu}{??}\mspace{14mu}{accepts}\mspace{14mu}\Gamma}}:={\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\}\mspace{14mu}{and}}}\text{}{{{{Ver}\left( {{verk},{C = \left( {\Gamma,c_{0}^{enc},\left\{ c_{t}^{enc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{enc}} \right)},{Sig}} \right)} = 1},\mspace{20mu}{{then}\mspace{14mu}{compute}\mspace{14mu} I\mspace{14mu}{and}\mspace{14mu}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}\mspace{14mu}{that}}}\mspace{20mu}{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\;{\alpha_{i}M_{i}\mspace{20mu}{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M}}}}},{{{and}\mspace{14mu} I} \subseteq \left\{ {i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}} \middle| {\left\lbrack {{\rho(i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee\left\lbrack {{\rho(i)} = {⫬ {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \right\}},{K:={{{e\left( {c_{0}^{enc},k_{0}^{*}} \right)} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\;{{e\left( {c_{t}^{enc},k_{i}^{*}} \right)}{\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ {({t,{\overset{\rightarrow}{v}}_{i}})}}}\;{{e\left( {c_{t}^{enc},k_{i}^{*r}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}\mspace{20mu} m^{\prime}}}}}}}:={c_{d + 1}^{enc}/K}}},\mspace{20mu}{{return}\mspace{14mu}{m^{\prime}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 219} \right\rbrack\end{matrix}$

As described above, the cryptographic system according to Embodiment 2can implement the KP-FPRE scheme. Thus, a ciphertext can be forwarded toa set of various types of users with a single re-encryption key.

As a result, for example, various ciphertexts existing on a network canbe securely forwarded to users having various attributes, withoutdecrypting the ciphertexts. It is thus possible to securely andpractically entrust processing of ciphertexts to a trusted third party.

It has been described that the decryption device 300 also functions as are-encryption key generation device, and that the decryption device 300executes the RKG algorithm as well as the Dec2 algorithm. However, thedecryption device 300 and the re-encryption key generation device may beimplemented separately. In this case, the decryption device 300 executesthe Dec2 algorithm, and the re-encryption key generation device executesthe RKG algorithm. In this case, therefore, the decryption device 300includes functional components that are required to execute the Dec2algorithm, and the re-encryption key generation device includesfunctional components that are required to execute the RKG algorithm.

In the above embodiments, it has been described that the re-encryptiondevice 400 re-encrypts a ciphertext and changes the destination of theciphertext, assuming a case where a message is encrypted with FE andtransmitted to the destination.

FE can be used not only to encrypt a message and transmit the encryptedmessage to the destination, but also to implement searchable encryptionwhich allows searching without decrypting a ciphertext. When searchableencryption is implemented with FE, a specified search keyword can bechanged with the algorithms described in the above embodiments.

In the above embodiments, a user capable of decryption is specified byattribute information which is set in a ciphertext. Then, thedestination of the ciphertext is changed by changing the attributeinformation. When searchable encryption is implemented with FE, a partof attribute information which is set in a ciphertext specifies a usercapable of searching, and a part of the remaining attribute informationspecifies a search keyword. Thus, it is possible to change the specifiedkeyword by changing the part that specifies the search keyword in theattribute information with the algorithms described in the aboveembodiments.

In the above embodiments, a single key generation device 100 generates adecryption key. However, it is possible to arrange that a singledecryption key is generated by a plurality of key generation devices 100by combining the algorithms of the above embodiments with amulti-authority scheme discussed in Non-Patent Literature 3.

In the above embodiments, adding an attribute category (increasing thevalue of d in the attribute format n^(→)) requires that the publicparameter be re-issued. However, it is possible to arrange that anattribute category can be added without re-issuing the public parameterby combining the algorithms of the above embodiments with an unboundedscheme discussed in Non-Patent Literature 4.

In the above embodiments, when the length of vectors used forinner-product encryption is defined as N, the size of the publicparameter and the master secret key is proportional to N², and it takestime proportional to N² to generate or encrypt a decryption key to begiven to a user. However, it is possible to reduce the size of thepublic parameter and the master secret key and reduce time necessary forgenerating and encrypting the decryption key to be given to the user bycombining the algorithms of the above embodiments with a schemediscussed in Non-Patent Literature 5.

Embodiment 3

In the above embodiments, the methods for implementing the cryptographicprocesses in dual vector spaces have been described. In Embodiment 3, amethod for implementing the cryptographic processes in dual modules willbe described.

That is, in the above embodiments, the cryptographic processes areimplemented in cyclic groups of prime order q. However, when a ring R isexpressed using a composite number M as indicated in Formula 220, thecryptographic processes described in the above embodiments can beadapted to a module having the ring R as a coefficient.

:=

/M

  [Formula 220]where

: integer, andM: composite number.

By changing F_(q) to R in the algorithms described in the aboveembodiments, the cryptographic processes in dual additive groups can beimplemented.

From the view point of security proof, in the above embodiments, ρ(i)for each integer i=1, . . . , L may be limited to a positive tuple (t,v^(→)) or negative tuple

(t, v^(→)) for respectively different identification information t.

In other words, when ρ(i)=(t, v^(→)) or ρ(i)=

(t, v^(→)), let a function ρ⁻ be map of ({1, . . . , L}→{1, . . . , d}such that ρ⁻(i)=t. In this case, ρ⁻ may be limited to injection. Notethat ρ(i) is ρ(i) in the access structure S:=(M, ρ(i)) described above.

A hardware configuration of the cryptographic system 10 (the keygeneration device 100, the encryption device 200, the decryption device300, the re-encryption device 400, and the re-encrypted ciphertextdecryption device 500) according to the embodiments will now bedescribed.

FIG. 30 is a diagram illustrating an example of a hardware configurationof the key generation device 100, the encryption device 200, thedecryption device 300, the re-encryption device 400, and there-encrypted ciphertext decryption device 500.

As illustrated in FIG. 30, each of the key generation device 100, theencryption device 200, the decryption device 300, the re-encryptiondevice 400, and the re-encrypted ciphertext decryption device 500includes the CPU 911 (also referred to as a Central Processing Unit,central processing device, processing device, arithmetic device,microprocessor, microcomputer, or processor) that executes programs. TheCPU 911 is connected via a bus 912 to the ROM 913, the RAM 914, an LCD901 (Liquid Crystal Display), the keyboard 902 (K/B), the communicationboard 915, and the magnetic disk device 920, and controls these hardwaredevices. In place of the magnetic disk device 920 (fixed disk device), astorage device such as an optical disk device or memory card read/writedevice may be employed. The magnetic disk device 920 is connected via apredetermined fixed disk interface.

The ROM 913 and the magnetic disk device 920 are examples of anonvolatile memory. The RAM 914 is an example of a volatile memory. TheROM 913, the RAM 914, and the magnetic disk device 920 are examples of astorage device (memory). The keyboard 902 and the communication board915 are examples of an input device. The keyboard 902 is an example of acommunication device. The LCD 901 is an example of a display device.

The magnetic disk device 920, the ROM 913, or the like stores anoperating system 921 (OS), a window system 922, programs 923, and files924. The programs 923 are executed by the CPU 911, the operating system921, and the window system 922.

The programs 923 store software and programs that execute the functionsdescribed in the above description as the “master key generation part110”, the “master key storage part 120”, the “information input part130”, the “decryption key generation part 140”, the “key transmissionpart 150”, the “public parameter receiving part 210”, the “informationinput part 220”, the “signature processing part 230”, the “encryptionpart 240”, the “ciphertext transmission part 250”, the “decryption keyreceiving part 310”, the “information input part 320”, the“re-encryption key generation part 330”, the “re-encryption keytransmission part 340”, the “ciphertext receiving part 350”, the“verification part 360”, the “complementary coefficient computation part370”, the “pairing operation part 380”, the “message computation part390”, the “public parameter receiving part 410”, the “ciphertextreceiving part 420”, the “re-encryption key receiving part 430”, the“verification part 440”, the “encryption part 450”, the “re-encryptedciphertext transmission part 460”, the “decryption key receiving part510”, the “ciphertext receiving part 520”, the “span program computationpart 530”, the “complementary coefficient computation part 540”, the“conversion information generation part 550”, the “conversion part 560”,the “pairing operation part 570”, the “message computation part 580”,and the like. The programs 923 store other programs as well. Theprograms are read and executed by the CPU 911.

The files 924 store information, data, signal values, variable values,and parameters such as the “public parameter pk”, the “master secret keysk”, the “decryption keys sk_(S) and sk_(Γ)”, the “ciphertexts ct_(Γ)and ct_(S)”, the “re-encryption keys rk_((Γ,S′)) and rk_((S,Γ′)),”, the“re-encrypted ciphertexts CT_(S′) and CT_(Γ),”, the “access structures Sand S′”, the “attribute sets Γ and Γ′”, and the “message m” in the abovedescription, as the items of a “file” and “database”. The “file” and“database” are stored in a recording medium such as a disk or memory.The information, data, signal values, variable values, and parametersstored in the recording medium such as the disk or memory are read outto the main memory or cache memory by the CPU 911 through a read/writecircuit, and are used for operations of the CPU 911 such as extraction,search, look-up, comparison, calculation, computation, processing,output, printing, and display. The information, data, signal values,variable values, and parameters are temporarily stored in the mainmemory, cache memory, or buffer memory during the operations of the CPU911 including extraction, search, look-up, comparison, calculation,computation, processing, output, printing, and display.

The arrows in the flowcharts in the above description mainly indicateinput/output of data and signals. The data and signal values are storedin the memory of the RAM 914, the recording medium such as an opticaldisk, or in an IC chip. The data and signals are transmitted online viaa transmission medium such as the bus 912, signal lines, or cables, orvia electric waves.

What is described as a “part” in the above description may be a“circuit”, “device”, “equipment”, “means”, or “function”, and may alsobe a “step”, “procedure”, or “process”. What is described as a “device”may be a “circuit”, “equipment”, “means”, or “function”, and may also bea “step”, “procedure”, or “process”. What is described as a “process”may be a “step”. In other words, what is described as a “part” may berealized by firmware stored in the ROM 913. Alternatively, what isdescribed as a “part” may be implemented solely by software, or solelyby hardware such as an element, a device, a substrate, or a wiring line,or by a combination of software and firmware, or by a combinationincluding firmware. The firmware and software are stored as programs inthe recording medium such as the ROM 913. The programs are read by theCPU 911 and are executed by the CPU 911. That is, each program causesthe computer or the like to function as each “part” described above.Alternatively, each program causes the computer or the like to execute aprocedure or a method of each “part” described above.

REFERENCE SIGNS LIST

-   -   100: key generation device, 110: master key generation part,        120: master key storage part, 130: information input part, 140:        decryption key generation part, 141: CP-FE key generation part,        142: random number generation part, 143: decryption key        k*generation part, 144: KP-FE key generation part, 145: f vector        generation part, 146: s vector generation part, 150: key        transmission part, 200: encryption device, 210: public parameter        receiving part, 220: information input part, 230: signature        processing part, 240: encryption part, 241: f vector generation        part, 242: s vector generation part, 243: random number        generation part, 244: ciphertext c^(enc) generation part, 250:        ciphertext transmission part, 300: decryption device, 310:        decryption key receiving part, 320: information input part, 330:        re-encryption key generation part, 331: random number generation        part, 332: conversion information W₁ generation part, 333:        conversion information W₁ encryption part, 334: decryption key        k*^(rk) generation part, 335: conversion part, 336: f vector        generation part, 337: s vector generation part, 340:        re-encryption key transmission part, 350: ciphertext receiving        part, 360: verification part, 361: span program computation        part, 362: signature verification part, 370: complementary        coefficient computation part, 380: pairing operation part, 390:        message computation part, 400: re-encryption device, 410: public        parameter receiving part, 420: ciphertext receiving part, 430:        re-encryption key receiving part, 440: verification part, 441:        span program computation part, 442: signature verification part,        450: encryption part, 451: random number generation part, 452: f        vector generation part, 453: s vector generation part, 454:        conversion information W₂ generation part, 455: conversion        information W₂ encryption part, 456: ciphertext c^(renc)        generation part, 457: decryption key k*^(renc) generation part,        460: re-encrypted ciphertext transmission part, 500:        re-encrypted ciphertext decryption device, 510: decryption key        receiving part, 520: ciphertext receiving part, 530: span        program computation part, 540: complementary coefficient        computation part, 550: conversion information generation part,        560: conversion part, 570: pairing operation part, 580: message        computation part

The invention claimed is:
 1. A hardware-including cryptographic systemthat implements a proxy re-encryption function in a cryptographic schemeaccording to which when two pieces of information correspond to eachother, a ciphertext which is set to one of the two pieces of informationwhich is decrypted with a decryption key which is set to the other oneof the two pieces of information, the hardware-including cryptographicsystem comprising a re-encryption key generation hardware-includingdevice and a re-encryption hardware-including device, wherein there-encryption key generation hardware-including device includes adecryption key k*^(rk) generation part that generates a decryption keyk*^(rk) by converting, using conversion information W₁, a decryption keyk* which is set to one of attribute information x and attributeinformation v corresponding to each other; a conversion information W₁encryption part that generates encrypted conversion information ψ^(rk)by encrypting the conversion information W₁ with one of attributeinformation x′ and attribute information v′ corresponding to each otherbeing set; and a re-encryption key transmission part that transmits tothe re-encryption hardware-including device the decryption key k*^(rk)and the encrypted conversion information ψ^(rk), as a re-encryption keyrk; and wherein the re-encryption hardware-including device includes aciphertext receiving part that receives a ciphertext c^(enc) which isset to the other one of the attribute information x and the attributeinformation v; a ciphertext c^(renc) generation part that generates aciphertext c^(renc) by setting at least one of additional information Hand additional information Θ corresponding to each other in theciphertext c^(enc) received by the ciphertext receiving part; adecryption key k*^(renc) generation part that generates a decryption keyk*^(renc) by setting at least the other one of the additionalinformation H and the additional information Θ in the decryption keyk*^(rk) included in the re-encryption key rk; and a re-encryptedciphertext transmission part that transmits the ciphertext c^(renc), thedecryption key k*^(renc), and the encrypted conversion informationψ^(rk), as a re-encrypted ciphertext CT.
 2. The hardware-includingcryptographic system according to claim 1, wherein the ciphertextc^(renc) generation part generates the ciphertext c^(renc) by convertingthe ciphertext c^(enc) using conversion information W₂, wherein there-encryption hardware-including device further includes a conversioninformation W₂ encryption part that generates encrypted conversioninformation ψ^(renc) by encrypting the conversion information W₂ usingthe one of the attribute information x′ and the attribute informationv′, and wherein the re-encrypted ciphertext transmission part transmitsthe ciphertext c^(renc), the decryption key k*^(renc), the encryptedconversion information ψ^(rk), and the encrypted conversion informationψ^(renc), as the re-encrypted ciphertext CT.
 3. The hardware-includingcryptographic system according to claim 2, wherein the ciphertextreceiving part receives the ciphertext c^(enc) which is set to averification key verk for verifying a signature which is attached with asignature key sigk, a signature Sig which is attached to the ciphertextc^(enc) with the signature key sigk, and the verification key verk, andwherein the ciphertext c^(renc) generation part generates the ciphertextc^(renc) by setting the verification key verk in the ciphertext c^(enc)as the one of the additional information H and the additionalinformation Θ.
 4. The hardware-including cryptographic system accordingto claim 3, further comprising a re-encrypted ciphertext decryptiondevice, wherein the re-encrypted ciphertext transmission part transmitsthe re-encrypted ciphertext CT to the re-encrypted ciphertext decryptiondevice, wherein the re-encrypted ciphertext decryption device includes adecryption key receiving part that receives a decryption key k*′ whichis generated using the other one of the attribute information x′ and theattribute information v′; a conversion information generation part thatgenerates the conversion information W₁ by decrypting the encryptedconversion information ψ^(rk) with the decryption key k*′ received bythe decryption key receiving part, and generates the conversioninformation W₂ by decrypting the encrypted conversion informationψ^(renc) with the decryption key k*′; a conversion part that generates adecryption key k*^(˜) by converting the decryption key k*^(renc) withthe conversion information W₁, and generates a ciphertext c^(enc˜) byconverting the ciphertext c^(renc) with the conversion information W₂;and a decryption part that decrypts the ciphertext c^(enc˜) with thedecryption key k*^(˜) generated by the conversion part.
 5. Thehardware-including cryptographic system according to claim 4, whereinthe decryption key k*^(rk) generation part generates the decryption keyk*^(rk) including k*^(rk) ₀ and k*^(rk) _(t) indicated in Formula 2 fromthe decryption key k* including k*₀ and k*_(t) indicated in Formula 1,wherein the ciphertext receiving part receives the ciphertext c^(enc)including c^(enc) ₀, c^(enc) _(i), and c^(enc) _(d+1) indicated inFormula 3, wherein the ciphertext c^(renc) generation part generates theciphertext c^(renc) including c^(renc) ₀, c^(renc) _(i), and c^(renc)_(d+1) indicated in Formula 4, wherein the decryption key k*^(renc)generation part generates the decryption key k*^(renc) includingk*^(renc) ₀ and k*^(renc) _(t) indicated in Formula 5, wherein theconversion part generates k*^(˜) and c^(˜) ₀ indicated in Formula 6, andwherein the decryption part computes a message m indicated in Formula 7,$\begin{matrix}{\mspace{79mu}{{{k_{0}^{*}:=\left( {1,\delta,0,0} \right)_{B_{0}^{*}}},\mspace{20mu}{k_{t}^{*}:=\left( \overset{\overset{n_{t}}{︷}}{\delta\;{\overset{\rightarrow}{x}}_{t}} \right)_{B_{0}^{*}}},{{{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}}\mspace{20mu}{where}\mspace{20mu}{{\delta\overset{U}{\longleftarrow}F_{q}},\mspace{20mu}{\Gamma = \left( {\left\{ {\left( {t,{\overset{\rightarrow}{x}}_{t}} \right),{1 \leq t \leq d}} \right\},\mspace{20mu}{{\overset{\rightarrow}{x}}_{t}:=\left( {x_{t{.1}},\ldots\mspace{14mu},x_{t.n_{t}}} \right)},\mspace{20mu}{n_{t}\mspace{14mu}{is}\mspace{14mu}{an}\mspace{14mu}{integer}\mspace{14mu}{of}\mspace{14mu} 1\mspace{14mu}{or}\mspace{14mu}{more}},{{and}\mspace{20mu} d\mspace{14mu}{is}\mspace{14mu}{an}\mspace{14mu}{integer}\mspace{14mu}{of}\mspace{14mu} 1\mspace{14mu}{or}\mspace{14mu}{more}},} \right.}}}} & \left\lbrack {{Formula}\mspace{14mu} 1} \right\rbrack \\{\mspace{79mu}{{{k_{0}^{*{rk}}:={\left( {k_{0}^{*} + \left( {0,\delta^{\prime},0,0} \right)_{B_{0}^{*}}} \right)W_{1}}},\mspace{20mu}{k_{t}^{*{rk}}:={k_{t}^{*} + \left( \overset{\overset{n_{t}}{︷}}{\delta^{\prime}\;{\overset{\rightarrow}{x}}_{t}} \right)_{B_{0}^{*}}}},{{{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}}\mspace{20mu}{where}\mspace{20mu}{\delta^{\prime}\overset{U}{\longleftarrow}F_{q}}}} & \left\lbrack {{Formula}\mspace{14mu} 2} \right\rbrack \\{\mspace{79mu}{{{c_{0}^{enc}:=\left( {\zeta,{- s_{0}},{\rho\left( {{verk},1} \right)}} \right)_{B_{0}}},\mspace{20mu}{{{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L}\mspace{20mu}{{{{if}\mspace{14mu}{\rho(i)}} = \left( {t,{{\overset{\rightarrow}{v}}_{i}:=\left( {v_{i{.1}},\ldots\mspace{14mu},v_{i.n_{t}}} \right)}} \right)},\mspace{20mu}{c_{i}^{enc}:=\left( \overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}} \right)_{B_{t}}},\mspace{20mu}{{{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu}{c_{i}^{enc}:=\left( \overset{\overset{n_{t}}{︷}}{s_{i}{\overset{\rightarrow}{v}}_{i}} \right)_{B_{t}}},\mspace{20mu}{c_{d + 1}^{enc} = {m \cdot g_{T}^{\zeta}}}}\mspace{20mu}{where}\mspace{20mu}{{\overset{\rightarrow}{f}\overset{U}{\longleftarrow}F_{q}^{r}},\mspace{79mu}{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\ldots\mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},\mspace{20mu}{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},\mspace{20mu}\rho,\zeta,{\theta_{i}\overset{U}{\longleftarrow}F_{q}},\mspace{20mu}{M\mspace{14mu}{is}\mspace{14mu} a\mspace{14mu}{matrix}\mspace{14mu}{with}\mspace{14mu} L{\mspace{11mu}\;}{rows}\mspace{14mu}{and}\mspace{14mu} r\mspace{14mu}{columns}},}}} & \left\lbrack {{Formula}\mspace{14mu} 3} \right\rbrack \\{\mspace{79mu}{{c_{0}^{renc}:={\left( {c_{0}^{enc} + \left( {\zeta^{\prime},{- s_{0}^{\prime}},{\rho^{\prime}\left( {{verk},1} \right)}} \right)_{B_{0}}} \right)W_{2}}}\mspace{20mu}{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L}\mspace{20mu}{{{{if}\mspace{14mu}{\rho(i)}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},\mspace{20mu}{c_{i}^{enc}:={c_{i}^{enc} + \left( \overset{\overset{n_{t}}{︷}}{{s_{i}^{\prime}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{\prime}{\overset{\rightarrow}{v}}_{i}}} \right)_{B_{t}}}},\mspace{20mu}{{{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu}{c_{i}^{renc}:={c_{i}^{enc} + \left( \overset{\overset{n_{t}}{︷}}{s_{i}^{\prime}{\overset{\rightarrow}{v}}_{i}} \right)_{B_{t}}}},\mspace{20mu}{c_{d + 1}^{renc} = {c_{d + 1}^{enc} \cdot g_{T}^{\zeta^{\prime}}}}}\mspace{20mu}{where}\mspace{20mu}{{{\overset{\rightarrow}{f}}^{\prime}\overset{R}{\longleftarrow}F_{q}^{r}},\mspace{20mu}{{\overset{\rightarrow}{s}}^{\prime\; T}:={\left( {s_{1}^{\prime},\ldots\mspace{14mu},s_{L}^{\prime}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{\prime\; T}}}},\mspace{20mu}{s_{0}^{\prime}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{\prime\; T}}},\mspace{20mu}\rho^{\prime},\zeta^{\prime},{\theta_{i}^{\prime}\overset{U}{\longleftarrow}F_{q}}}}} & \left\lbrack {{Formula}\mspace{14mu} 4} \right\rbrack \\{\mspace{79mu}{{{k_{0}^{*{renc}}:={k_{0}^{*{rk}} + \left( {0,\delta^{''},{\sigma\left( {{- 1},{verk}} \right)}} \right)_{D_{0}^{*}}}},\mspace{20mu}{k_{t}^{*{renc}}:={k_{t}^{*{rk}} + \left( \overset{\overset{n_{t}}{︷}}{\delta^{''}\;{\overset{\rightarrow}{x}}_{t}} \right)_{B_{0}^{*}}}},{{{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}}\mspace{20mu}{where}\mspace{20mu}{\delta^{''},{\sigma\overset{U}{\longleftarrow}F_{q}},\mspace{20mu}{D_{0}^{*}:={B_{0}^{*}W_{1}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 5} \right\rbrack \\{\mspace{79mu}{{{{\overset{\sim}{k}}_{0}^{*}:={k_{0}^{*{renc}}W_{1}^{- 1}}},\mspace{20mu}{{\overset{\sim}{c}}_{0}:={c_{0}^{renc}W_{2}^{- 1}}}}\mspace{20mu}{{{\overset{\sim}{k}}_{0}^{*}:={k_{0}^{*{renc}}{\overset{\sim}{W}}_{1}^{- 1}}},\mspace{20mu}{{\overset{\sim}{c}}_{0}:={c_{0}^{renc}{\overset{\sim}{W}}_{2}^{- 1}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 6} \right\rbrack \\{{{\overset{\sim}{K}:={e{\left( {{\overset{\sim}{c}}_{0},{\overset{\sim}{k}}_{0}^{*}} \right) \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\;{{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ {({t,{\overset{\rightarrow}{v}}_{i}})}}}\;{{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}}}\mspace{20mu}{m:={c_{d + 1}^{enc}/\overset{\sim}{K}}}\;\mspace{20mu}{where}\mspace{20mu}{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\;{\alpha_{i}M_{i}\mspace{20mu}{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M}}}}},{{{and}\mspace{14mu} I} \subseteq {\left\{ {i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}} \middle| {\left\lbrack {{\rho(i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee\left\lbrack {{\rho(i)} = {⫬ {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \right\}.}}} & \left\lbrack {{Formula}\mspace{14mu} 7} \right\rbrack\end{matrix}$
 6. The hardware-including cryptographic system accordingto claim 4, wherein the decryption key k*^(rk) generation part generatesthe decryption key k*^(rk) including k*^(rk) ₀ and k*^(rk) _(i)indicated in Formula 9 from the decryption key k* including k*₀ andk*_(i) indicated in Formula 8, wherein the ciphertext receiving partreceives the ciphertext c^(enc) including c^(enc) ₀, c^(enc) _(t), andc^(enc) _(d+1) indicated in Formula 10, wherein the ciphertext c^(renc)generation part generates the ciphertext c^(renc) including c^(renc) ₀,c^(renc) _(t), an c^(renc) _(d+1) indicated in Formula 11, wherein thedecryption key k*^(renc) generation part generates the decryption keyk*^(renc) including k*^(renc) ₀ and k*^(renc) _(i) indicated in Formula12, wherein the conversion part generates k*^(˜) ₀ and c^(˜) ₀ indicatedin Formula 13, and wherein the decryption part computes a message mindicated in Formula 14, $\begin{matrix}{\mspace{79mu}{{{k_{0}^{*}:=\left( {1,s_{0},0,0} \right)_{B_{0}^{*}}},\mspace{20mu}{{{for}\mspace{14mu} i} = 1},{\ldots\mspace{14mu} L}}\mspace{20mu}{{{{if}\mspace{14mu}{\rho(i)}} = \left( {t,{{\overset{\rightarrow}{v}}_{i}:=\left( {v_{i{.1}},\ldots\mspace{14mu},v_{i.n_{t}}} \right)}} \right)},\mspace{20mu}{k_{i}^{*}:=\left( \overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}} \right)_{B_{t}}},\mspace{79mu}{{{if}\mspace{14mu}\rho(i)} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{79mu}{k_{i}^{*}:=\left( \overset{\overset{n_{t}}{︷}}{s_{i}{\overset{\rightarrow}{v}}_{i}} \right)_{B_{0}^{*}}}}\mspace{20mu}{where}\mspace{20mu}{{\theta_{i}\overset{U}{\longleftarrow}F_{q}},\mspace{20mu}{{\overset{\rightarrow}{f}}_{t}\overset{U}{\longleftarrow}F_{q}^{r}},\mspace{85mu}{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\ldots\mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},\mspace{20mu}{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},\mspace{20mu}{M\mspace{14mu}{is}\mspace{14mu} a\mspace{14mu}{matrix}\mspace{14mu}{with}\mspace{14mu} L{\mspace{11mu}\;}{rows}\mspace{14mu}{and}\mspace{14mu} r\mspace{14mu}{columns}},{and}}\mspace{20mu}{{n_{t}\mspace{14mu}{is}\mspace{14mu}{an}\mspace{14mu}{integer}\mspace{14mu}{of}\mspace{14mu} 1\mspace{14mu}{or}\mspace{14mu}{more}},}}} & \left\lbrack {{Formula}\mspace{14mu} 8} \right\rbrack \\{\mspace{79mu}{{k_{0}^{*{rk}}:={\left( {k_{0}^{*} + \left( {0,{- s_{0}^{\prime}},0,0} \right)_{B_{0}^{*}}} \right)W_{1}}}\mspace{20mu}{{{{for}\mspace{14mu} i} = 1},{\ldots\mspace{14mu} L\mspace{20mu}{{{if}\mspace{14mu}{\rho(i)}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu}{k_{i}^{*{rk}}:={k_{i}^{*}\left( \overset{\overset{n_{t}}{︷}}{{s_{i}^{\prime}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{\prime}{\overset{\rightarrow}{v}}_{i}}} \right)}_{B_{0}^{*}}},\mspace{79mu}{{{if}\mspace{14mu}\rho(i)} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{79mu}{k_{i}^{*{rk}}:=\left( \overset{\overset{n_{t}}{︷}}{s_{i}^{\prime}{\overset{\rightarrow}{v}}_{i}} \right)_{B_{0}^{*}}}}\mspace{20mu}{where}\mspace{20mu}{{\theta_{i}^{\prime}\overset{U}{\longleftarrow}F_{q}},\mspace{20mu}{{\overset{\rightarrow}{f}}_{t}^{\prime}\overset{U}{\longleftarrow}F_{q}^{r}},\mspace{85mu}{{\overset{\rightarrow}{s}}^{\prime\; T}:={\left( {s_{1}^{\prime},\ldots\mspace{14mu},s_{L}^{\prime}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{\prime\; T}}}},\mspace{20mu}{s_{0}^{\prime}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{\prime\; T}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 9} \right\rbrack \\{\mspace{79mu}{{{c_{0}^{enc}:=\left( {\zeta,\delta,{\rho\left( {{verk},1} \right)}} \right)_{B_{0}}},\mspace{20mu}{c_{t}^{enc}:=\left( \overset{\overset{n_{t}}{︷}}{{\delta{\overset{\rightarrow}{x}}_{t}},} \right)_{B_{t}}},{{{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}}\mspace{20mu}{c_{d + 1}^{enc} = {m \cdot g_{T}^{\zeta}}}\mspace{20mu}{where}\mspace{20mu}{\zeta,\delta,{\rho\overset{U}{\longleftarrow}F_{q}},\mspace{20mu}{\Gamma = \left( {\left\{ {\left( {t,{\overset{\rightarrow}{x}}_{t}} \right),{1 \leq t \leq d}} \right\},\mspace{79mu}{d\mspace{14mu}{is}\mspace{14mu}{an}\mspace{14mu}{integer}\mspace{14mu}{of}\mspace{14mu} 1\mspace{14mu}{or}\mspace{14mu}{more}},} \right.}}}} & \left\lbrack {{Formula}\mspace{14mu} 10} \right\rbrack \\{\mspace{79mu}{{{c_{0}^{renc}:={\left( {c_{0}^{enc} + \left( {\zeta^{\prime},{- \delta^{\prime}},{\rho^{\prime}\left( {{verk},1} \right)}} \right)_{B_{0}}} \right)W_{2}}},\mspace{20mu}{c_{t}^{renc}:={{c_{t}^{enc} + {\left( \overset{\overset{n_{t}}{︷}}{\delta^{\prime}{\overset{\rightarrow}{x}}_{t}} \right)_{B_{t}}\mspace{14mu}{for}\mspace{14mu}\left( {t,x_{t}} \right)}} \in \Gamma}},\mspace{20mu}{c_{d + 1}^{renc} = {c_{d + 1}^{enc} \cdot g_{T}^{\zeta^{\prime}}}}}\mspace{20mu}{where}\mspace{20mu}{\zeta^{\prime},\delta^{\prime},{\rho^{\prime}\overset{U}{\longleftarrow}F_{q}}}}} & \left\lbrack {{Formula}\mspace{14mu} 11} \right\rbrack \\{\mspace{79mu}{{{k_{0}^{*{renc}}:={k_{0}^{*{rk}} + \left( {0,{- s_{0}^{''}},{\sigma\left( {{- 1},{verk}} \right)}} \right)_{D_{0}^{*}}}},\mspace{20mu}{{{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L}\mspace{20mu}{{{{if}\mspace{14mu}{\rho(i)}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},\mspace{20mu}{k_{i}^{*{renc}}:={k_{i}^{*{rk}}\left( \overset{\overset{n_{t}}{︷}}{{s_{i}^{''}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{''}{\overset{\rightarrow}{v}}_{i}}} \right)}_{B_{0}^{*}}},\mspace{79mu}{{{if}\mspace{14mu}\rho(i)} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{79mu}{k_{i}^{*{renc}}:={k_{i}^{*{rk}} + \left( \overset{\overset{n_{t}}{︷}}{s_{i}^{''}{\overset{\rightarrow}{v}}_{i}} \right)_{B_{0}^{*}}}}}\mspace{20mu}{where}\mspace{20mu}{{{\overset{\rightarrow}{f}}^{''}\overset{R}{\longleftarrow}F_{q}^{r}},\mspace{85mu}{{\overset{\rightarrow}{s}}^{''\; T}:={\left( {s_{1}^{''},\ldots\mspace{14mu},s_{L}^{''}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{''\; T}}}},\mspace{20mu}{s_{0}^{''}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{''\; T}}},\mspace{20mu}\sigma,{\theta_{i}^{''}\overset{U}{\longleftarrow}F_{q}}}}} & \left\lbrack {{Formula}\mspace{14mu} 12} \right\rbrack \\{\mspace{79mu}{{{{\overset{\sim}{k}}_{0}^{*}:={k_{0}^{*{renc}}W_{1}^{- 1}}},\mspace{20mu}{{\overset{\sim}{c}}_{0}:={c_{0}^{renc}W_{2}^{- 1}}}}\mspace{20mu}{{{\overset{\sim}{k}}_{0}^{*}:={k_{0}^{*{renc}}{\overset{\sim}{W}}_{1}^{- 1}}},\mspace{20mu}{{\overset{\sim}{c}}_{0}:={c_{0}^{renc}{\overset{\sim}{W}}_{2}^{- 1}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 13} \right\rbrack \\{{{\overset{\sim}{K}:={e{\left( {{\overset{\sim}{c}}_{0},{\overset{\sim}{k}}_{0}^{*}} \right) \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\;{{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ {({t,{\overset{\rightarrow}{v}}_{i}})}}}\;{{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}}}\mspace{20mu}{m:={c_{d + 1}^{enc}/\overset{\sim}{K}}}\;\mspace{20mu}{where}\mspace{20mu}{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\;{\alpha_{i}M_{i}\mspace{20mu}{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M}}}}},{{{and}\mspace{14mu} I} \subseteq \left\{ {i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}} \middle| {\left\lbrack {{\rho(i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee{\left. \quad\left\lbrack {{\rho(i)} = {⫬ {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack \right\}.}} \right.}} & \left\lbrack {{Formula}\mspace{14mu} 14} \right\rbrack\end{matrix}$
 7. A re-encryption key generation hardware-includingdevice of a hardware-including cryptographic system that implements aproxy re-encryption function in a cryptographic scheme according towhich when two pieces of information correspond to each other, aciphertext which is set to one of the two pieces of information which isdecrypted with a decryption key which is set to the other one of the twopieces of information, the re-encryption key generationhardware-including device comprising: a decryption key k*^(rk)generation part that generates a decryption key k*^(rk) by converting,using conversion information W₁, a decryption key k* which is set to oneof attribute information x and attribute information v corresponding toeach other; a conversion information W₁ encryption part that generatesencrypted conversion information ψ^(rk) by encrypting the conversioninformation W₁ with one of attribute information x′ and attributeinformation v′ corresponding to each other being set; and are-encryption key transmission part that transmits to a re-encryptionhardware-including device the decryption key k*^(rk) and the encryptedconversion information ψ^(rk), as a re-encryption key rk.
 8. Are-encryption hardware-including device of a hardware-includingcryptographic system that implements a proxy re-encryption function in acryptographic scheme according to which when two pieces of informationcorrespond to each other, a ciphertext which is set to one of the twopieces of information which is decrypted with a decryption key which isset to the other one of the two pieces of information, the re-encryptionhardware-including device comprising: a re-encryption key receiving partthat receives, as a re-encryption key rk, a decryption key k*^(rk) whichis generated by converting, using conversion information W₁, adecryption key k* which is set to one of attribute information x andattribute information v corresponding to each other, and encryptedconversion information ψ^(rk) which is generated by encrypting theconversion information W₁ with one of attribute information x′ andattribute information v′ corresponding to each other being set; aciphertext receiving part that receives a ciphertext c^(enc) which isset to the other one of the attribute information x and the attributeinformation v; a ciphertext c^(renc) generation part that generates aciphertext c^(renc) by setting at least one of additional information Hand additional information Θ corresponding to each other in theciphertext c^(enc) received by the ciphertext receiving part; adecryption key k*^(renc) generation part that generates a decryption keyk*^(renc) by setting at least the other one of the additionalinformation H and the additional information Θ in the decryption keyk*^(rk) included in the re-encryption key rk; and a re-encryptedciphertext transmission part that transmits the ciphertext c^(renc), thedecryption key k*^(renc), and the encrypted conversion informationψ^(rk), as a re-encrypted ciphertext CT.
 9. A cryptographic method forimplementing a proxy re-encryption function in a cryptographic schemeaccording to which when two pieces of information correspond to eachother, a ciphertext which is set to one of the two pieces of informationwhich is decrypted with a decryption key which is set to the other oneof the two pieces of information, the cryptographic method comprising:generating a decryption key k*^(rk) by converting, using conversioninformation W₁, a decryption key k* which is set to one of attributeinformation x and attribute information v corresponding to each other,by a re-encryption key generation hardware-including device; generatingencrypted conversion information ψ^(rk) by encrypting the conversioninformation W₁ with one of attribute information x′ and attributeinformation v′ corresponding to each other being set, by there-encryption key generation hardware-including device; transmitting toa re-encryption device the decryption key k*^(rk) and the encryptedconversion information ψ^(rk), as a re-encryption key rk, by there-encrypted key generation hardware-including device; receiving aciphertext c^(enc) which is set to the other one of the attributeinformation x and the attribute information v, by the re-encryptionhardware-including device; generating a ciphertext c^(renc) by settingat least one of additional information H and additional information Θcorresponding to each other in the ciphertext c^(enc), by there-encryption hardware-including device; generating a decryption keyk*^(renc) by setting at least the other one of the additionalinformation H and the additional information Θ in the decryption keyk*^(rk) included in the re-encryption key rk, by the re-encryptionhardware-including device; and transmitting the ciphertext c^(renc), thedecryption key k*^(renc), and the encrypted conversion informationψ^(rk), as a re-encrypted ciphertext CT, by the re-encryptionhardware-including device.
 10. A non-transitory computer readable mediumstoring a cryptographic program that implements a proxy re-encryptionfunction in a cryptographic scheme according to which when two pieces ofinformation correspond to each other, a ciphertext which is set to oneof the two pieces of information which is decrypted with a decryptionkey which is set to the other one of the two pieces of information, thecryptographic program comprising a non-transitory re-encryption keygeneration program product and a non-transitory re-encryption programproduct, the non-transitory re-encryption key generation program productcausing a computer to execute a decryption key k*^(rk) generationprocess of generating a decryption key k*^(rk) by converting, usingconversion information W₁, a decryption key k* which is set to one ofattribute information x and attribute information v corresponding toeach other; a conversion information W₁ encryption process of generatingencrypted conversion information ψ^(rk) by encrypting the conversioninformation W₁ with one of attribute information x′ and attributeinformation v′ corresponding to each other being set; and are-encryption key transmission process of transmitting to thenon-transitory re-encryption program product the decryption key k*^(rk)and the encrypted conversion information ψ^(rk), as a re-encryption keyrk, the non-transitory re-encryption program product causing a computerto execute a ciphertext receiving process of receiving a ciphertextc^(enc) which is set to the other one of the attribute information x andthe attribute information v; a ciphertext c^(renc) generation process ofgenerating a ciphertext c^(renc) by setting at least one of additionalinformation H and additional information Θ corresponding to each otherin the ciphertext c^(enc) received in the ciphertext receiving process;a decryption key k*^(renc) generation step of generating a decryptionkey k*^(renc) by setting at least the other one of the additionalinformation H and the additional information Θ in the decryption keyk*^(rk) included in the re-encryption key rk; and a re-encryptedciphertext transmission process of transmitting the ciphertext c^(renc),the decryption key k*^(renc), and the encrypted conversion informationψ^(rk), as a re-encrypted ciphertext CT.